iron-ajax
iron-ajax copied to clipboard
PolymerElements
jsonPrefix removes entire event.detail.response
Description
jsonPrefix removes entire event.detail.response
Expected outcome
foo is stripped from { foo: [object, object, object] }
event.detail.response should exist with { [object, object, object] } or just [object, object, object]
I expect this from the linked article from docs:
The ASP.NET AJAX library uses the “d” parameter formatting for JSON data. This forces the data in the example to appear in the following form: {“d” : [“bankaccountnumber”, “$1234.56”] } Because this is not a valid JavaScript statement, it cannot be parsed and instantiated as a new object in JavaScript. This therefore prevents the cross-site scripting attack from accessing data from AJAX JSON services on other domains. The Microsoft Ajax client libraries automatically strip the “d” out, but other client libraries, such as JQuery, would have to take the “d” property into account when using such services.
Steps to reproduce
- json-prefix='foo'
- json returned from api call is
{ foo: [object, object, object] } - After jsonPrefix, entire json is gone.
event.detail.responseis none existant.
Browsers Affected
- [X ] Chrome
- [ ] Firefox
- [ ] Safari 9
- [ ] Safari 8
- [ ] Safari 7
- [ ] Edge
- [ ] IE 11
- [ ] IE 10
