Hacker News new | past | comments | ask | show | jobs | submit login
Throw 1; < don't be evil (google.com)
84 points by DanielRibeiro on Nov 25, 2010 | hide | past | favorite | 15 comments



Even better: onload="window.lol&&lol()"

I imagine that this is JS intended to be loaded via XHR only.


I was just talking to the guy who added window.lol last Friday. It stands for something that actually made sense in the context of the project, though I forget what exactly.


WTF is that?


Presumably on the google website the script is loaded via an xmlhttp request which then strips the initial text and evals the rest. By added the initial throw 1; they prevent other sites from including the script, since it won't do anything.



Cool site. I've never seen that before. Learn about web security by breaking it.


What about hackthissite.org?


That's extremely smart. XMLHttpRequest protects you via the same origin policy. But there are other ways (such as JSONP) to load JavaScript and bypass the same origin policy. It's not like you cannot opt out of things like JSONP, but this trick adds another layer of protection and is particularly useful in fighting XSSI.


If another site would really want to include the script, it could also strip the initial text. Is the purpose only to avoid people from including the script by mistake?


You can't make a XHR request to another domain. You only can include it via a <script> tag and that is going to fail.


Didn't know that. Thanks!


thanks!



It a XHR response that google search yields on the main page. Just use firebug/google chrome's resource tab to see it.


Don't be evil ? Google ?

Apparently their exception handling does't work very well :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: