What kind of json answer starts with )]}'

Question

I have noticed that some json queries, particularly in google services, return a peculiar "json" which starts with a closing sequence and then it has just a array structure, specified with square braces.

What kind of ajax is this? Is there some library, js or py, parsing it?

To put a more concrete example:

>>> import json
>>> import urllib2
>>> url=urllib2.urlopen("https://plus.google.com/u/0/_/socialgraph/lookup/visible/?o=%5Bnull%2Cnull%2C%22114423404493486623226%22%5D")
>>> url.readline()
")]}'\n"
>>> url.readline()
'\n'
>>> url.readline()
'[["tsg.lac",[]\n'

and from there, a typical array follows. The full answer is thus a two line "header" and then an array, but the "header" is very puzzling and I wonder if it comes from an standard ajax library or it is just an idea of these guys.

Ah, if you use the developer tools of Chrome to look into the actual queries, you see the same. So I am induced to believe that it is an actual answer and not an artifact of the query.

Answer 1

Using invalid JSON at the beginning of a message is one way to defeat a combination of CSRF and a tricky attack on JavaScript's array constructor.

If that URL returned a valid, unwrapped array, then any site you visited could overload the Array function, place/inject a script reference to that Google+ URL on the page, and harvest your private/secure data when you simply loaded their page.

Google's own client-side code can strip that invalid JSON out before parsing it, because it's using a traditional XHR request which gives them access to the raw response. A remote site can only access it via script element injection and has no chance to pre-process the data before the browser parses it. The latter is similar to how JSONP works, with the Array constructor unwittingly becoming the callback function.

You'll see a similar approach on many high profile sites that return JSON arrays in response to GET requests. Facebook pads theirs with for (;;);, for example. If you try to use the CSRF attack on those Facebook APIs, the browser just enters an infinite loop on the remote site making reference to Facebook's private API. On Facebook.com, their client-side code has an opportunity to strip that off before running a JSON.parse() on it.