(I already know that ajax calls has to be from the same origin , and already read the relevant answers)
But I have a problem understanding something :
Facebook (among others) use the for(;;) || while(1)
thing in their json responses :
And - obviously - if I want to use the data I have to remove the for(;;)
string and then parse it myself.
I was also told (by @esailija) that :
You can't remove the for loop unless you are from same origin that's the point
Ok great - this is because of the same origin policy.
But I ask this :
Lets say John is doing this on his site (john.com
):
bla bla...
<script src="facebook.com/ajax/recent" type="text/javascript"></script>
bla bla...
Notice its the same url as facebook's ( my left most red arrow) -
Assumption
- If he get the response via
<scrip>...</script>
and the response was withoutfor(;;)
, - he still can't do nothing with{"__ar:1,....}
! it will has to be padded (like jsonp) withmyCallBack({"__ar:1,....});
I mean : It's just like this :
var a=1;
{"__ar:1,....} <--- john can't do nothing with this.
var b=1;
Question :
What am I missing and does my assumptions are correct ?