Should we prepend anti-eval code to our json responses? #244
Labels
A-Client-Server
Issues affecting the CS API
Comments
|
I don't quite understand the attack vector this seeks to block? |
|
This sort of thing: http://blog.jeremiahgrossman.com/2006/01/advanced-web-attack-techniques-using.html I think that CORS headers probably mitigate it these days, but given the potential risk if people are on crappy clients which don't understand CORS, I wonder if it's worth it anyway. |
|
5.5 years later, I'm still failing to grok the attack, and nobody seems that bothered about it. I'm closing this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Google and FB prepend while(1); or for(;;) or similar to the beginning of all their JSON responses to force malicious clients to not be able to
evalthe responses when stealing data (eg after overriding core bits of JS like Array). Should we too?The text was updated successfully, but these errors were encountered: