什么样的 json 答案以 )]}' 开头
我注意到一些 json 查询,特别是在谷歌服务中,返回一个特殊的“json”,它以结束序列开头,然后它只有一个数组结构,用方括号指定。
这是什么类型的ajax?是否有一些库,js或py,解析它?
举一个更具体的例子:
>>> import json
>>> import urllib2
>>> url=urllib2.urlopen("https://plus.google.com/u/0/_/socialgraph/lookup/visible/?o=%5Bnull%2Cnull%2C%22114423404493486623226%22%5D")
>>> url.readline()
")]}'\n"
>>> url.readline()
'\n'
>>> url.readline()
'[["tsg.lac",[]\n'
从那里开始,一个典型的数组如下。因此,完整的答案是一个两行“标头”,然后是一个数组,但“标头”非常令人费解,我想知道它是否来自标准 ajax 库,或者只是这些人的想法。
啊,如果你使用 Chrome 的开发者工具来查看实际的查询,你会看到同样的结果。所以我相信这是一个实际的答案,而不是查询的产物。
I have noticed that some json queries, particularly in google services, return a peculiar "json" which starts with a closing sequence and then it has just a array structure, specified with square braces.
What kind of ajax is this? Is there some library, js or py, parsing it?
To put a more concrete example:
>>> import json
>>> import urllib2
>>> url=urllib2.urlopen("https://plus.google.com/u/0/_/socialgraph/lookup/visible/?o=%5Bnull%2Cnull%2C%22114423404493486623226%22%5D")
>>> url.readline()
")]}'\n"
>>> url.readline()
'\n'
>>> url.readline()
'[["tsg.lac",[]\n'
and from there, a typical array follows. The full answer is thus a two line "header" and then an array, but the "header" is very puzzling and I wonder if it comes from an standard ajax library or it is just an idea of these guys.
Ah, if you use the developer tools of Chrome to look into the actual queries, you see the same. So I am induced to believe that it is an actual answer and not an artifact of the query.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
在消息开头使用无效的 JSON 是击败 CSRF 和 对 JavaScript 数组构造函数的狡猾攻击。
如果该 URL 返回一个有效的、未包装的数组,那么您访问的任何网站都可以重载该数组函数,在页面上放置/注入对该 Google+ URL 的脚本引用,并在您只需加载其页面时获取您的私有/安全数据。
Google 自己的客户端代码可以在解析之前删除无效的 JSON,因为它使用传统的 XHR 请求,这使他们可以访问原始响应。远程站点只能通过脚本元素注入来访问它,并且没有机会在浏览器解析数据之前对数据进行预处理。后者类似于 JSONP 的工作方式,数组构造函数不知不觉地成为回调函数。
您会在许多知名网站上看到类似的方法,这些网站返回 JSON 数组以响应 GET 请求。例如,Facebook 用
for (;;);来填充它们。如果您尝试对这些 Facebook API 使用 CSRF 攻击,浏览器只会在远程站点上进入无限循环,引用 Facebook 的私有 API。在 Facebook.com 上,他们的客户端代码有机会在运行 JSON.parse() 之前将其删除。Using invalid JSON at the beginning of a message is one way to defeat a combination of CSRF and a tricky attack on JavaScript's array constructor.
If that URL returned a valid, unwrapped array, then any site you visited could overload the Array function, place/inject a script reference to that Google+ URL on the page, and harvest your private/secure data when you simply loaded their page.
Google's own client-side code can strip that invalid JSON out before parsing it, because it's using a traditional XHR request which gives them access to the raw response. A remote site can only access it via script element injection and has no chance to pre-process the data before the browser parses it. The latter is similar to how JSONP works, with the Array constructor unwittingly becoming the callback function.
You'll see a similar approach on many high profile sites that return JSON arrays in response to GET requests. Facebook pads theirs with
for (;;);, for example. If you try to use the CSRF attack on those Facebook APIs, the browser just enters an infinite loop on the remote site making reference to Facebook's private API. On Facebook.com, their client-side code has an opportunity to strip that off before running a JSON.parse() on it.