Comment blocks around JSON responses

2019-04-07 00:26发布

问题:

I've noticed that some web applications return AJAX responses with JSON data embedded within a comment block. For example, this would be a sample response:

/*{
 "firstName": "John",
 "lastName": "Smith",
 "address": {
     "streetAddress": "21 2nd Street",
     "city": "New York",
     "state": "NY",
     "postalCode": 10021
 },
 "phoneNumbers": [
     "212 555-1234",
     "646 555-4567"
 ]} */

What is the benefit of embedding the JSON data in a comment block? Is there some sort of security exploit which is avoided by doing this?

回答1:

It's done to avoid a third party site hijacking your data using a <script> tag and overriding the Object constructor to grab the data as it is built.

When the JSON data is surrounded by comments, it no longer is directly executable via a <script> tag, and thereby "more secure".

See the PDF at http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf for more information (with examples)



标签: security json