Re: [whatwg/fetch] json() function does not support anti-json hijacking techniques (#321) from Duan Yao on 2016-06-09 (public-webapps-github@w3.org from June 2016)

From: Duan Yao <notifications@github.com>
Date: Wed, 08 Jun 2016 20:35:11 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc:
Message-ID: <whatwg/fetch/issues/321/224792347@github.com>

@lostmsu , did you read http://www.thespanner.co.uk/2011/05/30/json-hijacking/ ? You don't have to prefix your JSON with `while(1);` to protect old browsers, just make sure your JSON is always an object `{ "foo" : ... }`, not an array `[ ... ]`, because the former is not valid JS.

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/321#issuecomment-224792347

Received on Thursday, 9 June 2016 03:35:38 UTC