Why do we have a magic prefix on the REST API's JSON responses?
1,085 views
Skip to first unread message
David Pursehouse
Aug 26, 2013, 2:59:59 AM8/26/13
to Repo and Gerrit Discussion
According to the documentation [1]:
"The JSON response body starts with a magic prefix line that
must be stripped before feeding the rest of the response body
to a JSON parser"
OK, this is fairly straightforward to implement in a client. However it
would be nice if the documentation also explained *why* the JSON has
this prefix.
I'd upload a change to add that, but I'm not actually sure what the
reason is. Something to do with security, I assume.
Can anyone clarify this?
Also, would it be reasonable to add a configuration option to disable
this magic prefix?
[1]
http://gerrit-documentation.googlecode.com/svn/Documentation/2.6/rest-api.html
"The JSON response body starts with a magic prefix line that
must be stripped before feeding the rest of the response body
to a JSON parser"
OK, this is fairly straightforward to implement in a client. However it
would be nice if the documentation also explained *why* the JSON has
this prefix.
I'd upload a change to add that, but I'm not actually sure what the
reason is. Something to do with security, I assume.
Can anyone clarify this?
Also, would it be reasonable to add a configuration option to disable
this magic prefix?
[1]
http://gerrit-documentation.googlecode.com/svn/Documentation/2.6/rest-api.html
Edwin Kempin
Aug 26, 2013, 3:09:36 AM8/26/13
to David Pursehouse, Repo and Gerrit Discussion
According to the documentation [1]:
"The JSON response body starts with a magic prefix line that
must be stripped before feeding the rest of the response body
to a JSON parser"
OK, this is fairly straightforward to implement in a client. However it would be nice if the documentation also explained *why* the JSON has this prefix.
I'd upload a change to add that, but I'm not actually sure what the reason is. Something to do with security, I assume.
Can anyone clarify this?
You can find some more details in the source code (in RestApiServlet where JSON_MAGIC is defined):
"
/**
* Garbage prefix inserted before JSON output to prevent XSSI.
* <p>
* This prefix is ")]}'\n" and is designed to prevent a web browser from
* executing the response body if the resource URI were to be referenced using
* a <script src="...> HTML tag from another web site. Clients using the
* HTTP interface will need to always strip the first line of response data to
* remove this magic header.
*/
"
"
/**
* Garbage prefix inserted before JSON output to prevent XSSI.
* <p>
* This prefix is ")]}'\n" and is designed to prevent a web browser from
* executing the response body if the resource URI were to be referenced using
* a <script src="...> HTML tag from another web site. Clients using the
* HTTP interface will need to always strip the first line of response data to
* remove this magic header.
*/
"
Also, would it be reasonable to add a configuration option to disable this magic prefix?
[1] http://gerrit-documentation.googlecode.com/svn/Documentation/2.6/rest-api.html
--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
--- You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
David Pursehouse
Aug 26, 2013, 3:41:54 AM8/26/13
to Edwin Kempin, Repo and Gerrit Discussion
On 08/26/2013 04:09 PM, Edwin Kempin wrote:
> You can find some more details in the source code (in RestApiServlet
> where JSON_MAGIC is defined):
> "
> /**
> * Garbage prefix inserted before JSON output to prevent XSSI.
> * <p>
> * This prefix is ")]}'\n" and is designed to prevent a web browser from
> * executing the response body if the resource URI were to be
> referenced using
> * a <script src="...> HTML tag from another web site. Clients
> using the
> * HTTP interface will need to always strip the first line of
> response data to
> * remove this magic header.
> */
> "
>
Thanks. I've uploaded a change in the documentation to add this
> You can find some more details in the source code (in RestApiServlet
> where JSON_MAGIC is defined):
> "
> /**
> * Garbage prefix inserted before JSON output to prevent XSSI.
> * <p>
> * This prefix is ")]}'\n" and is designed to prevent a web browser from
> * executing the response body if the resource URI were to be
> referenced using
> * a <script src="...> HTML tag from another web site. Clients
> using the
> * HTTP interface will need to always strip the first line of
> response data to
> * remove this magic header.
> */
> "
>
clarification.
https://gerrit-review.googlesource.com/#/c/49193/
>
> Also, would it be reasonable to add a configuration option to
> disable this magic prefix?
>
Reply all
Reply to author
Forward
0 new messages