-
-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should we prepend anti-eval code to our json responses? #244
Comments
I don't quite understand the attack vector this seeks to block? |
This sort of thing: http://blog.jeremiahgrossman.com/2006/01/advanced-web-attack-techniques-using.html I think that CORS headers probably mitigate it these days, but given the potential risk if people are on crappy clients which don't understand CORS, I wonder if it's worth it anyway. |
5.5 years later, I'm still failing to grok the attack, and nobody seems that bothered about it. I'm closing this. |
Google and FB prepend while(1); or for(;;) or similar to the beginning of all their JSON responses to force malicious clients to not be able to
eval
the responses when stealing data (eg after overriding core bits of JS like Array). Should we too?The text was updated successfully, but these errors were encountered: