Bug: New Sheets API response includes extraneous text when X-DataSource-Auth header is provided

[orwant]

The API documents a way to retrieve a JSON response format (instead of JSONP) by sending
an X-DataSource-Auth header:

https://developers.google.com/chart/interactive/docs/dev/implementing_data_source#jsondatatable

This works fine for old Sheets, and *almost* works for new Sheets. The trouble is that,
when sending an X-DataSource-Auth header with new Sheets, the response starts with
the extraneous string ")]}'" (plus a newline), which obviously makes it invalid JSON.
The response is otherwise as expected.

Here is a cURL command that demonstrates the issue with a new-format Sheet:

curl --header "X-DataSource-Auth: true" "https://docs.google.com/spreadsheets/d/1qT1LyvoAcb0HTsi2rHBltBVpUBumAUzT__rhMvrz5Rk/gviz/tq?gid=0"

Here is the same command with an old-format Sheet that correctly produces valid JSON:

curl --header "X-DataSource-Auth: true" "https://spreadsheets.google.com/tq?key=0AlRp2ieP7izLdGFNOERTZW0xLVpROFc3X3FJQ2tSb2c&gid=0"

Thanks!

Original issue reported on code.google.com by chris@zarate.org on 2015-03-22 22:36:44

[orwant]

Thanks for your report.  We are investigating whether we need a documentation change
or a code change, or perhaps there will be another resolution.

Original issue reported on code.google.com by dlaliberte@google.com on 2015-04-09 14:53:54

[taras]

@orwant this seems to be a "feature" that's described in Security Considerations section of https://developers.google.com/chart/interactive/docs/dev/implementing_data_source#security-considerations

Make the JavaScript unlikely to execute when included with a Githubissues.

Githubissues is a development platform for aggregating issues.