It looks to be a weird standard then as prefixing a JSON message with
"{}&&" will make it invalid regarding the JSON specification
"&&" isn't accepted in neither:
- the original JSON spec (http://json.org/)
- the ECMA 404 version
(http://www.ecma-international.org/publications/standards/Ecma-404.htm)
- the proposed IETF RFC version (http://tools.ietf.org/html/rfc7159)
The fact such invalid JSON message may work with some JSON parse
implementations give absolutely no guaranty it will work in everyones, nor
it will still work in future editions of those parsers
The safer way to protect JSON messages from JSON hijacking is to never send
raw Arrays but embed them into an object
//wrong
["foo","bar","baz"]
//right
{"data":["foo","bar","baz"]}
Le mardi 2 septembre 2014 23:01:32 UTC+2, [email protected] a écrit :
>
>
> http://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/http/converter/json/MappingJackson2HttpMessageConverter.html#setPrefixJson-boolean-
>
> Yeah, its somewhat common standard.
>
> On Monday, September 1, 2014 9:43:35 PM UTC+3, Simon Lindholm wrote:
>>
>> We do some forms of such JSON prefix stripping, but not for {}&&. See
>> https://github.com/firebug/firebug/blob/master/extension/content/firebug/lib/json.js.
>>
>> Is "{}&&" a common standard?
>>
>> Den söndagen den 31:e augusti 2014 kl. 22:25:19 UTC+2 skrev
>> [email protected]:
>>>
>>> Prefixing the JSON string in this manner is used to help prevent JSON
>>> Hijacking. The prefix renders the string syntactically invalid as a script
>>> so that it cannot be hijacked. However firebug does not seem to be able to
>>> evaluate it as JSON neither because firebug isn't creating the JSON tab for
>>> these kind of responses. Is this a bug, a feature or a defect?
>>>
>>> Would it be possible that when the returned JSON has {}&& prefix it
>>> would work the same way like it doesn't have it, just cutting it out?
>>>
>>
--
You received this message because you are subscribed to the Google Groups
"Firebug" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/firebug.
To view this discussion on the web visit
https://groups.google.com/d/msgid/firebug/1a42f011-6f66-4797-bb65-ac8b70a8ee8e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
