How does the AngularJS JSON vulnerability protection work?

Question

The angular website recommends prefixing your JSONs with )]}'\n, to protect from them being called as JSONP:

A JSON vulnerability allows third party website to turn your JSON resource URL into JSONP request under some conditions. To counter this your server can prefix all JSON requests with following string ")]}',\n". Angular will automatically strip the prefix before processing it as JSON.

But the article referenced has no mention of these closing brackets, and it feels like that would be pretty easy to work around (Because my JSONView chrome plugin has been patched to strip them out. Why wouldn't this work for an 'attacker'?).

Instead the article recommends wrapping the JSON as an object:

{"d": ["Philha", "my-confession-to-crimes", 7423.42]}

Which somehow protects you.

Why does AngularJS favour this (odd) protection, and does it work? I'm not sure exactly how to test this.

Answer 1

Why wouldn't this work for an 'attacker'?

In order to strip the characters, you must have access to the raw content of the file.

Chrome extensions have access to that. Someone who has pointed a <script> at the raw file does not.

Why does AngularJS favour this (odd) protection,

because it works ;)

and does it work?

Yes. When the file is treated as JavaScript, it will throw an error on line 1 before it reaches the array. This will stop it from ever trying to evaluate the array, so the overwritten Array constructor won't be able to read in the data from it.

---

Happily, the security problems appears to exist only in very ancient versions of Firefox, so you probably don't need to worry about this at all.