Closed spearce closed 7 years ago
The JSON output for every link I've tried under https://chromium.googlesource.com/breakpad/breakpad/+/master
is bad:
$ curl "https://chromium.googlesource.com/breakpad/breakpad/+/master?format=JSON"
)]}'
{
"commit": "86d5e9e7f94a9cc90c9fe90584d7c8eda6057d17",
"tree": "1dca71600fec8c736164fdc9f5033c1bac1d8924",
<...>
Note the first line in the output, I have no idea what's going on there.
Reported by None
on 2015-12-02 10:57:34
This is intentional, the first line is a cross site scripting protection to prevent
external sites from slurping the output of a private site based on user cookies.
So WAI.
If you want to parse this JSON, you need to strip the first line before handing over
to a JSON parser.
Reported by None
on 2015-12-02 16:39:59
I'm a little confused--what attack vector are you trying to close here, the "malicious
site loads JSON URL as a script"? I don't think that's ever been exploitable if you're
returning an object at the top-level of the JSON:
http://flask.pocoo.org/docs/0.10/security/#json-security
Reported by None
on 2015-12-03 03:53:43
Originally reported on Google Code with ID 90
Reported by
None
on 2015-12-02 10:57:34