we are looking at using the unparseable curft approach to our json as an extra level of security.
In looking at the approaches, I've come across google's while(1);
and facebook's for(;;)
; and then another mention of {}&&
I've seen comments surrounding the while(1);
that say the 1 being numeric can get clobbered, so my approach was going to be the for(;;);
.
Then I came across the {}&&
, which renders the json as invalid yet it can still be parsed/eval'ed. See this article for reference: http://www.sitepen.com/blog/2008/09/25/security-in-ajax/
What are your approaches? and what do your functions look like for making the ajax call with the unparseable curft?