I've noticed that some web applications return AJAX responses with JSON data embedded within a comment block. For example, this would be a sample response:
/*{
"firstName": "John",
"lastName": "Smith",
"address": {
"streetAddress": "21 2nd Street",
"city": "New York",
"state": "NY",
"postalCode": 10021
},
"phoneNumbers": [
"212 555-1234",
"646 555-4567"
]} */
What is the benefit of embedding the JSON data in a comment block? Is there some sort of security exploit which is avoided by doing this?
From stackoverflow
-
It's done to avoid a third party site hijacking your data using a
<script>tag and overriding theObjectconstructor to grab the data as it is built.When the JSON data is surrounded by comments, it no longer is directly executable via a
<script>tag, and thereby "more secure".See the PDF at http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf for more information (with examples)
0 comments:
Post a Comment