Empty "for" loop in Facebook ajax

Question

While surfing facebook and using the Firebug network debugger I noticed that facebook's AJAX responses all start with an empty for loop.

Example:

for(;;);{...}

Does anyone know why this is done? I assume it's to prevent some sort of XSS attack but I don't totally understand. Thanks!

Looks like it tries to hang the JS engine if the response is eval'd. Probably to make users of the Facebook API use their JSON-parsing library instead of eval? — strager, Jun 17 '10 at 01:51
Possible duplicate of [Why does Google prepend while(1); to their JSON responses?](http://stackoverflow.com/questions/2669690/why-does-google-prepend-while1-to-their-json-responses) — gengkev, Feb 19 '16 at 02:32

score 11 · Accepted Answer · answered Jun 17 '10 at 01:53

11

Like google's

while(1);

it done for preventing of including this in <script> with further using the data

answered Jun 17 '10 at 01:53

zerkms

7

can u plz explain a little bit more? – RSK Mar 13 '11 at 08:22
@zerkms : u means this to prevent XSS attack?? – RSK Mar 14 '11 at 09:49
@zerkms : how `while(1);` will prevent including `while(1);`in ` – RSK Mar 14 '11 at 16:48
5

@RSK The following may be of interest to you: http://stackoverflow.com/questions/2669690/why-does-google-append-while1-in-front-of-their-json-responses – Lea Hayes Dec 09 '11 at 16:11
1

If included, it will hang the Javascript interpreter, so you will never get to use the data. – Sebastián Grignoli Apr 21 '16 at 18:59
@SebastiánGrignoli and that's the whole idea – zerkms Apr 21 '16 at 21:36

1 Answers1