JSON over HTTP Transport #34

mitsuhiko · 2023-04-12T20:27:54Z

The current spec has this in it:

XSSI attacks could potentially make source maps available to attackers by doing a direct script src to a source map after overriding the Array constructor. This can be effectively prevented by preprending a JavaScript syntax error to the start of the response.

Thus when delivering source maps over HTTP, servers may prepend a line starting with the string “)]}'” to the sourcemap. If the response starts with this string clients must ignore the first line.

Does this still carry relevancy in the current day and age and is this consistently being implemented? I haven't seen source maps actually being prefixed with that character sequence.

littledan · 2023-06-14T16:39:47Z

Rob, Justin and Jaro report that this is common enough that we can't remove it.

Refs tc39/source-map#34

mitsuhiko · 2023-07-10T18:57:34Z

This is resolved now. A note has been added to the spec as discussed.

littledan added the Workstream: Correctness label Apr 25, 2023

mitsuhiko added a commit to tc39/source-map-spec that referenced this issue Jul 5, 2023

Clarified note on JSON over HTTP

352bf69

Refs tc39/source-map#34

mitsuhiko mentioned this issue Jul 5, 2023

Clarified note on JSON over HTTP tc39/source-map-spec#10

Merged

mitsuhiko closed this as completed Jul 10, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

JSON over HTTP Transport #34

JSON over HTTP Transport #34

mitsuhiko commented Apr 12, 2023

littledan commented Jun 14, 2023 •

edited

Loading

mitsuhiko commented Jul 10, 2023

JSON over HTTP Transport #34

JSON over HTTP Transport #34

Comments

mitsuhiko commented Apr 12, 2023

littledan commented Jun 14, 2023 • edited Loading

mitsuhiko commented Jul 10, 2023

littledan commented Jun 14, 2023 •

edited

Loading