
Ask HN: What's the point of this kind of API? - kujaomega
I have seen some api requests on the web with a https GET response body starting with the following characters:<p>)]}&#x27;<p>Then this characters are followed by arrays of elements without keys(as a JSON). What&#x27;s the point of having this structure of response requests?
======
duskwuff
It prevents the response from being evaluated as Javascript.

In some older web browsers (like Firefox 2.0), this was required to prevent an
attack where the Array constructor is overridden to capture arrays within a
response. This no longer works on any modern browser, but a lot of web
services still attempt to defend against it.

[https://haacked.com/archive/2008/11/20/anatomy-of-a-
subtle-j...](https://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-
vulnerability.aspx/)

------
ken
[https://stackoverflow.com/questions/26955167/json-data-
that-...](https://stackoverflow.com/questions/26955167/json-data-that-starts-
with-closing-brackets)

------
verdverm
It disables the JS from running in an IFrame I believe.

Companies like Google and Facebook use this to prevent others from embedding
their pages in others.

------
notlukesky
You will need it only depending on the type of API you are building. If
redirects etc are not an issue then your won’t need it. APIs are an attack
vector for hackers.

------
zenincognito
To prevent xss and other type of attacks lose cookie stealing or redirects.

