Possible Duplicate:
Why does Google prepend while(1); to their JSON responses?
Google returns json like this:
throw 1; <dont be evil> { foo: bar}
and Facebooks ajax has json like this:
for(;;); {"error":0,"errorSummary": ""}
- Why do they put code that would stop
execution and makes invalid json? - How do they parse it if it’s invalid
and would crash if you tried to eval
it? - Do they just remove it from the
string (seems expensive)? - Are there any security advantages to
this?
In response to it being for security purposes:
If the scraper is on another domain they would have to use a script tag to get the data because XHR won’t work cross-domain. Even without the for(;;); how would the attacker get the data? It’s not assigned to a variable so wouldn’t it just be garbage collected because there’s no references to it?
Basically to get the data cross domain they would have to do
<script src="http://target.com/json.js"></script>
But even without the crash script prepended the attacker can’t use any of the Json data without it being assigned to a variable that you can access globally (it isn’t in these cases). The crash code effectivly does nothing because even without it they have to use server sided scripting to use the data on their site.
