Bad JSON output

[GoogleCodeExporter]

The JSON output for every link I've tried under 
https://chromium.googlesource.com/breakpad/breakpad/+/master is bad:
$ curl 
"https://chromium.googlesource.com/breakpad/breakpad/+/master?format=JSON"
)]}'
{
  "commit": "86d5e9e7f94a9cc90c9fe90584d7c8eda6057d17",
  "tree": "1dca71600fec8c736164fdc9f5033c1bac1d8924",
<...>

Note the first line in the output, I have no idea what's going on there.

Original issue reported on code.google.com by ted.mielczarek on 2 Dec 2015 at 6:57

[GoogleCodeExporter]

This is intentional, the first line is a cross site scripting protection to 
prevent external sites from slurping the output of a private site based on user 
cookies.

So WAI.

If you want to parse this JSON, you need to strip the first line before handing 
over to a JSON parser.

Original comment by sop@google.com on 3 Dec 2015 at 12:39

• Changed state: WontFix

[GoogleCodeExporter]

I'm a little confused--what attack vector are you trying to close here, the 
"malicious site loads JSON URL as a script"? I don't think that's ever been 
exploitable if you're returning an object at the top-level of the JSON:
http://flask.pocoo.org/docs/0.10/security/#json-security

Original comment by tmielcza...@mozilla.com on 3 Dec 2015 at 11:53