from Hacker News

Ask HN: What's the point of this kind of API?

by kujaomega on 3/23/20, 6:41 PM with 5 comments

I have seen some api requests on the web with a https GET response body starting with the following characters:

)]}'

Then this characters are followed by arrays of elements without keys(as a JSON). What's the point of having this structure of response requests?

  • by duskwuff on 3/23/20, 7:59 PM

    It prevents the response from being evaluated as Javascript.

    In some older web browsers (like Firefox 2.0), this was required to prevent an attack where the Array constructor is overridden to capture arrays within a response. This no longer works on any modern browser, but a lot of web services still attempt to defend against it.

    https://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-j...

  • by ken on 3/23/20, 10:45 PM

  • by verdverm on 3/23/20, 7:23 PM

    It disables the JS from running in an IFrame I believe.

    Companies like Google and Facebook use this to prevent others from embedding their pages in others.

  • by notlukesky on 3/24/20, 6:14 AM

    You will need it only depending on the type of API you are building. If redirects etc are not an issue then your won’t need it. APIs are an attack vector for hackers.

  • by zenincognito on 3/23/20, 8:03 PM

    To prevent xss and other type of attacks lose cookie stealing or redirects.