views:

113

answers:

2

Why is there a for(;;); preamble in facebooks JSON responses?

+5  A: 

See this StackOverflow post: How to restrict JSON access?

In particular this comment within that thread: for/while loops in JSON responses


Basically this is used so that attackers can't get the URL and include it on their page and have JavaScript now put the variables on the page because as soon as the request has been serviced the browser will go into an infinite loop not allowing other JavaScrip access to said variables which would potentially allow attackers to use your browser to get information that is meant to stay private.

X-Istence
ok, but if I know this, I can just use substring and then the content - right. Just as facebook does
Alois Reitbauer
Nope, since you can't use XMLHttprequest or any of those functions since you are not getting the content from the same domain. Since it is not in the same domain you have to use a script node to get the content loaded into the current page, which will immediately cause the JavaScript engine to go into an infinite loop.
X-Istence
A: 

Basically this just runs an infinite loop when parsed. That way, the user's browser freezes (eventually providing a popup allowing the user to stop the script), and the data is never actually read. Hope this makes sense!

devongovett