Hacker News new | ask | show | jobs
by klagan 5688 days ago
WTF is that?
3 comments
willscott 5688 days ago
Presumably on the google website the script is loaded via an xmlhttp request which then strips the initial text and evals the rest. By added the initial throw 1; they prevent other sites from including the script, since it won't do anything.
link
stanleydrew 5688 days ago
Indeed. See this: http://google-gruyere.appspot.com/part3#3__cross_site_script...
link
SimonPStevens 5688 days ago
Cool site. I've never seen that before. Learn about web security by breaking it.
link
verroq 5688 days ago
What about hackthissite.org?
link
eddieplan9 5688 days ago
That's extremely smart. XMLHttpRequest protects you via the same origin policy. But there are other ways (such as JSONP) to load JavaScript and bypass the same origin policy. It's not like you cannot opt out of things like JSONP, but this trick adds another layer of protection and is particularly useful in fighting XSSI.
link
adrianb 5688 days ago
If another site would really want to include the script, it could also strip the initial text. Is the purpose only to avoid people from including the script by mistake?
link
mcosta 5688 days ago
You can't make a XHR request to another domain. You only can include it via a <script> tag and that is going to fail.
link
adrianb 5688 days ago
Didn't know that. Thanks!
link
klagan 5688 days ago
thanks!
link
nose 5688 days ago
See line 122 to see how it is used http://svn.apache.org/viewvc/shindig/trunk/features/src/main...
link
DanielRibeiro 5688 days ago
It a XHR response that google search yields on the main page. Just use firebug/google chrome's resource tab to see it.
link