Closed GoogleCodeExporter closed 8 years ago
This is intentional, the first line is a cross site scripting protection to
prevent external sites from slurping the output of a private site based on user
cookies.
So WAI.
If you want to parse this JSON, you need to strip the first line before handing
over to a JSON parser.
Original comment by sop@google.com
on 3 Dec 2015 at 12:39
I'm a little confused--what attack vector are you trying to close here, the
"malicious site loads JSON URL as a script"? I don't think that's ever been
exploitable if you're returning an object at the top-level of the JSON:
http://flask.pocoo.org/docs/0.10/security/#json-security
Original comment by tmielcza...@mozilla.com
on 3 Dec 2015 at 11:53
Original issue reported on code.google.com by
ted.mielczarek
on 2 Dec 2015 at 6:57