{}&& JSON Prefix and firebug

[pehm...@gmail.com]

Prefixing the JSON string in this manner is used to help prevent JSON Hijacking. The prefix renders the string syntactically invalid as a script so that it cannot be hijacked. However firebug does not seem to be able to evaluate it as JSON neither because firebug isn't creating the JSON tab for these kind of responses. Is this a bug, a feature or a defect?

Would it be possible that when the returned JSON has {}&& prefix it would work the same way like it doesn't have it, just cutting it out?

[Simon Lindholm]

We do some forms of such JSON prefix stripping, but not for {}&&. See https://github.com/firebug/firebug/blob/master/extension/content/firebug/lib/json.js. Is "{}&&" a common standard?

[pehm...@gmail.com]

http://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/http/converter/json/MappingJackson2HttpMessageConverter.html#setPrefixJson-boolean-

Yeah, its somewhat common standard.

[Alexandre Morgaut]

It looks to be a weird standard then as prefixing a JSON message with "{}&&" will make it invalid regarding the JSON specification

"&&" isn't accepted in neither:

- the original JSON spec (http://json.org/) 

- the ECMA 404 version (http://www.ecma-international.org/publications/standards/Ecma-404.htm)

- the proposed IETF RFC version (http://tools.ietf.org/html/rfc7159)

The fact such invalid JSON message may work with some JSON parse implementations give absolutely no guaranty it will work in everyones, nor it will still work in future editions of those parsers

The safer way to protect JSON messages from JSON hijacking is to never send raw Arrays but embed them into an object

//wrong

["foo","bar","baz"]

//right

{"data":["foo","bar","baz"]}

[Alexandre Morgaut]

A simple test on http://jsonlint.com shows an error

{}&&["foo","bar,"baz"]

=>

Parse error on line 3:
{    }&&[    "foo",    "
------^
Expecting 'EOF', '}', ',', ']'

Le mardi 2 septembre 2014 23:01:32 UTC+2, pehm...@gmail.com a écrit :

[pehm...@gmail.com]

It's not really _a JSON_ standard, it's more of securing the JSON, as it says "The prefix renders the string syntactically invalid as a script so that it cannot be hijacked". IBM is also using this in some of its products. Support for it would be pretty simple. Just adding these lines:

   if (jsonString.length > 4 && jsonString.substring(0, 4) == "{}&&") {
       jsonString = jsonString.substring(4);
   }

in https://github.com/firebug/firebug/blob/master/extension/content/firebug/lib/json.js line 24

[Alexandre Morgaut]

Sure in this regard, Firebug code looks to already filter JSON strings before parsing it, so adding a filter if widely used may make sense.

Note that in your spring documentation, "{}&&" is a default prefix that may be customized. Maybe the additional filter should be based on a configurable list of prefix that would include "{}&&" by default

[Alexandre Morgaut]

Le mercredi 3 septembre 2014 18:00:45 UTC+2, Alexandre Morgaut a écrit :

Note that in your spring documentation, "{}&&" is a default prefix that may be customized. Maybe the additional filter should be based on a configurable list of prefix that would include "{}&&" by default

Sorry I misread it

The parameter is a boolean so there is only one prefix value possible in this framework