[Javascript] 구글 캘린더나 구글 독스에서 수신한 JSON 데이터에 while(1); 이나 &&START&& 같은 코드가 들어있는 이유

http://stackoverflow.com/questions/2669690/why-does-google-prepend-while1-to-their-json-responses

Q: 구글 캘린더나 구글 독스에서 수신한 JSON 데이터에 while(1); 이나 &&START&& 같은 코드가 들어있습니다. 이건 어떤 이유 때문에 그런 건가요?

(질문자: Andrew Koester)

A: 이것은 JSON hijacking을 막기 위한 것입니다. 

http://haacked.com/archive/2009/06/25/json-hijacking.aspx/

예를 들면, 공격자가 구글메일로 어떤 스크립트가 포함된 메일을 보냅니다. 공격자는 AJAX 호출을 곧바로 할 수는 없지만, <script> 태그를 이용하여 특정 URL을 넣을 수 있습니다. 해당 URL은 당신의 쿠키를 이용하여 접속되며,  overriding the global array constructor or accessor methods를 이용하여 속성 값이 정해질 때 마다 해당 스크립트를 실행할 수 있고, 당신의 이메일 목록을 읽을 수 있게 됩니다.

 while(1); 이나 &&START&& 이 들어가 있으면, 그 공격자 스크립트가 실행될 때 무한루프에 빠지거나 문법에러를 일으키게 됩니다.

(답변자: rjh)

Why does Google prepend while(1); to their JSON responses?

up vote1958down votefavorite 1107

Why does Google prepend while(1); to their (private) JSON responses? For example, here's a response while turning a calendar on and off in Google Calendar: while(1);[['u',[['smsSentFlag','false'],['hideInvitations','false'], ['remindOnRespondedEventsOnly','true'], ['hideInvitations_remindOnRespondedEventsOnly','false_true'], ['Calendar ID stripped for privacy','false'],['smsVerifiedFlag','true']]]] I would assume this is to prevent people from doing an eval() on it, but all you'd really have to do is replace the while and then you'd be set. I would assume the eval prevention is to make sure people write safe JSON parsing code. I've seen this used in a couple of other places, too, but a lot more so with Google (Mail, Calendar, Contacts, etc.) Strangely enough, Google Docs starts with &&&START&&& instead, and Google Contacts seems to start with while(1); &&&START&&&. What's going on here? javascript ajax json shareeditflag edited Aug 7 at 2:42 Peter Mortensen 9,100106398 asked Apr 19 '10 at 18:00 Andrew Koester 12.4k62443

2269down voteaccepted

It prevents JSON hijacking. Contrived example: say Google has a URL like mail.google.com/json?action=inbox which returns the first 50 messages of your inbox in JSON format. Evil websites on other domains can't make AJAX requests to get this data due to the same-origin policy, but they can include the URL via a <script>tag. The URL is visited with your cookies, and by overriding the global array constructor or accessor methods they can have a method called whenever an object (array or hash) attribute is set, allowing them to read the JSON content. The while(1); or &&&BLAH&&& prevents this: an AJAX request at mail.google.com will have full access to the text content, and can strip it away. But a <script> tag insertion blindly executes the JavaScript without any processing, resulting in either an infinite loop or a syntax error. This does not address the issue of cross-site request forgery. shareeditflag edited Jul 8 '13 at 22:03 Cole Johnson 4,067102750 answered Apr 19 '10 at 18:11 rjh 24k23148