Understanding the Prepended Code in Google's JSON Responses
Google frequently adds a preface of "while(1);" to the start of its private JSON responses. This practice has raised questions about its purpose.
Preventing JSON Hijacking
The primary reason for this prepended code is to thwart JSON hijacking.JSON hijacking is a security vulnerability that allows attackers to access sensitive data by including a malicious script in a JSON response using external scripts. By prepending "while(1);", Google prevents the script from running automatically, as the code enters an infinite loop.
Technical Details
JSON hijacking is executed by leveraging the fact that browsers allow websites to dynamically alter the behavior of the "Array" and "Function" global objects' methods. Thus, an attacker could set specific response attributes of an object and execute arbitrary code.
Alternative Syntax
Besides "while(1);", Google also employs variations in different services:
These variations serve the same purpose of preventing JSON hijacking and promoting safe JSON parsing.
Browser Compatibility
JSON hijacking has been addressed in all major browsers since 2011 through ECMAScript 5's Same-Origin Policy, which restricts scripts from different origins from accessing data. However, the prepended code provides an additional layer of protection against potential vulnerabilities in older browsers or non-compliant websites.
The above is the detailed content of Why Does Google Prepend \'while(1);\' to its JSON Responses?. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
