Why does Google prepend while(1); to their JSON responses?

后端未结

关注

 7  1714

一整个雨季 2020-11-22 06:43

Why does Google prepend while(1); to their (private) JSON responses?

For example, here\'s a response while turning a calendar on and off in Google Calen

7条回答

终归单人心 (楼主)

2020-11-22 07:14

It prevents disclosure of the response through JSON hijacking.

In theory, the content of HTTP responses are protected by the Same Origin Policy: pages from one domain cannot get any pieces of information from pages on the other domain (unless explicitly allowed).

An attacker can request pages on other domains on your behalf, e.g. by using a