cheshire icon indicating copy to clipboard operation
cheshire copied to clipboard
verified publisher icon dakrone

Handling anti-XSS prefixes

Open JulianBirch opened this issue 10 years ago • 3 comments

In cljs-ajax, I've got a feature that allows you to specify that you're expecting a JSON response to be prefixed with (for instance) while(1);, like some Google APIs do. Would you be interested in a PR that added such a feature into the opts in Cheshire?

JulianBirch avatar Sep 13 '15 15:09 JulianBirch

@JulianBirch I'm afraid I don't quite understand what this does, can you give me an example input that you are talking about? What does this have to do with CSS?

dakrone avatar Sep 14 '15 20:09 dakrone

Really should have written XSS, sorry (edited the heading). An example is something like while(1);{"a" "b"}. Typically this is coming back as a response to a GET. So you need to strip the prefix off to get a useful result. (Namely `{"a" "b"})

Here's a reference on it: http://stackoverflow.com/questions/2669690/why-does-google-prepend-while1-to-their-json-responses

JulianBirch avatar Sep 14 '15 20:09 JulianBirch

@JulianBirch ahh okay, that makes much more sense than CSS :)

I think it would be worth adding, perhaps as a special decode-with-leader method or something similar?

dakrone avatar Sep 15 '15 16:09 dakrone