Menu
When I used Facebook's Open Graph API, I noticed that the JSONP responses generated by Facebook seemed to have an extraneous "/**/" at the beginning of each response like this:
URL:
https://graph.facebook.com/SOME_ID?method=get&pretty=0&sdk=joey&callback=FB.__globalCallbacks.f1c77f051c
Response:
/**/ FB.__globalCallbacks.f887adeec(...);
Why is this?
880
We added this to protect against an attack where a third party site bypasses the content-type of the response by doing: <object type="application/x-shockwave-flash" data="http://graph.facebook.com?callback=[specifically crafted flash bytes]"></object>
Google does something similar, except they use //... + \n (e.g. http://www.google.com/calendar/feeds/[email protected]/public/full?alt=json&callback=foo)
200
Certainly to prevent XSSI... so you can't execute it...
http://maxime.sh/2013/02/javascript-quest-ce-que-le-xssi-et-comment-leviter/&usg=ALkJrhhjfdwBrK7kxNipOowAYacIcJm89g">Here is a french blog post about that (with google translate)
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
