javascript - 为什么Google会优先使用while（1）; 他们的JSON响应？(Why does Google prepend while(1); to their JSON responses?)

Question

Why does Google prepend while(1);

(为什么Google会优先使用while(1);)

to their (private) JSON responses?

(他们的（私有）JSON响应？)

For example, here's a response while turning a calendar on and off in Google Calendar :

(例如，这是在Google日历中打开和关闭日历时的响应：)

while(1);[['u',[['smsSentFlag','false'],['hideInvitations','false'],
  ['remindOnRespondedEventsOnly','true'],
  ['hideInvitations_remindOnRespondedEventsOnly','false_true'],
  ['Calendar ID stripped for privacy','false'],['smsVerifiedFlag','true']]]]

I would assume this is to prevent people from doing an eval() on it, but all you'd really have to do is replace the while and then you'd be set.

(我认为这是为了防止人们对它执行eval() ，但是您真正要做的就是替换while ，然后进行设置。)

I would assume the eval prevention is to make sure people write safe JSON parsing code.

(我认为评估的目的是确保人们编写安全的JSON解析代码。)

I've seen this used in a couple of other places, too, but a lot more so with Google (Mail, Calendar, Contacts, etc.) Strangely enough, Google Docs starts with &&&START&&& instead, and Google Contacts seems to start with while(1); &&&START&&&

(我已经看到了这个用在其他几个地方也一样，但很多更使谷歌（邮件，日历，联系人等），奇怪的是， 谷歌文档开头&&&START&&& ，而是和谷歌联系人似乎开始与while(1); &&&START&&&)

while(1); &&&START&&& .

(while(1); &&&START&&& 。)

What's going on here?

(这里发生了什么？)

  ask by Jess translate from so

Answer 1

It prevents JSON hijacking , a major JSON security issue that is formally fixed in all major browsers since 2011 with ECMAScript 5.

(它可以防止JSON劫持 ，这是自2011年以来使用ECMAScript 5在所有主要浏览器中正式修复的主要JSON安全问题。)

Contrived example: say Google has a URL like mail.google.com/json?action=inbox which returns the first 50 messages of your inbox in JSON format.

(人为的例子：假设Google有一个类似mail.google.com/json?action=inbox的URL，它以JSON格式返回收件箱中的前50条消息。)

Evil websites on other domains can't make AJAX requests to get this data due to the same-origin policy, but they can include the URL via a <script> tag.

(由于同源政策，其他域上的邪恶网站无法发出AJAX请求来获取此数据，但是它们可以通过<script>标记包含URL。)

The URL is visited with your cookies, and by overriding the global array constructor or accessor methods they can have a method called whenever an object (array or hash) attribute is set, allowing them to read the JSON content.

(随您的 cookie一起访问URL，并且通过覆盖全局数组构造函数或访问器方法 ，只要设置了对象（数组或哈希）属性，它们就可以拥有一个被调用的方法，从而允许它们读取JSON内容。)

The while(1);

(while(1);)

or &&&BLAH&&& prevents this: an AJAX request at mail.google.com will have full access to the text content, and can strip it away.

(或&&&BLAH&&&阻止这种情况： mail.google.com的AJAX请求将拥有对文本内容的完全访问权限，并可将其删除。)

But a <script> tag insertion blindly executes the JavaScript without any processing, resulting in either an infinite loop or a syntax error.

(但是<script>标记插入会盲目执行JavaScript，而不进行任何处理，从而导致无限循环或语法错误。)

This does not address the issue of cross-site request forgery .

(这不能解决跨站点请求伪造的问题 。)