1

Background

Browsing Facebook and being curious, I decided to look through the network XHR tab in the chrome developer tools to view the API calls they make to their back end. Upon looking at the calls and headers, noticed something very peculiar about how they send and package their data:

for (;;);{
  "__ar": 1,
  "payload": {
    "profiles": {
      "1244780025": {
        "id": "1355891136",
        "name": "JoeD Dirt",
        "firstName": "Joe",
        "vanity": "joe.dirt",
        "thumbSrc": "https://some.picture.url/source.png",
        "uri": "https://www.facebook.com/joe.dirt",
        "gender": 2,
        "i18nGender": 1,
        "type": "friend",
        "is_friend": true,
        "is_active": false,
        "mThumbSrcSmall": null,
        "mThumbSrcLarge": null,
        "dir": null,
        "searchTokens": [
          "Joe",
          "Dirt"
        ],
        "alternateName": "",
        "is_nonfriend_messenger_contact": false
      }
    }
  },
  "bootloadable": {},
  "ixData": {},
  "gkxData": {},
  "lid": "6440706546668495821"
}

And the content type:

content-type: application/x-javascript; charset=utf-8

It really got me wondering if returning the data as an actual javascript object, rather than a string of JSON is any faster or even more convenient to do, however I am unsure about how to use this type of return.

My questions

  1. How would I go about using this type of data structure safely? Obviously it returns javascript, but doesn't it need to be ran in an exec, which can be unsafe?
  2. How would I go about performance testing this structure against its JSON counterpart?
  3. Are there any advantages (performance or otherwise) to using one over the other?

EDIT While Empty "for" loop in Facebook ajax answers9 very poorly, the WHAT about this, it doesn't answer any of the 3 questions I posed above.

Derek Pollard
  • 6,238
  • 6
  • 34
  • 51
  • 1
    It might just be a technique to make it harder to intercept/capture the XHR response data. That `for(;;);` would just produce an infinite loop. I've also seen sites that wrap the JSON in a `/* */` comment, and other similar things. – David784 May 04 '18 at 20:30
  • 1
    In other words your best bet would probably be to strip the `for(;;);` out of the string, and then do a regular `JSON.parse()`. – David784 May 04 '18 at 20:32
  • @David784, if that were the case, I don't think the developer tools would be able to efficiently parse the data as an object, and it does, super confusing – Derek Pollard May 04 '18 at 20:33
  • [JSON (JavaScript Object Notation)](http://json.org/) is a lightweight data-interchange format. Parsing/Stringifying does require some horsepower. – Ronnie Royston May 04 '18 at 20:34
  • @RonRoyston I know what JSON is, and it does take some horse power, so if this turns out to be more efficient, I'd like to know, ya know? – Derek Pollard May 04 '18 at 20:35
  • I'm trying to find it, but I swear I remember some company implementing a similar "fix" to screw with a javascript/browser based DDoS attack at one point. Basically it was a bunch of hijacked browsers that would make requests to a site in a loop, but upon receiving code like that `for(;;)` bit, it would cause the hijacked browser to just spin instead. I'll try and find it. – Matti Price May 04 '18 at 21:01
  • 1
    I think this question is best answered here: https://stackoverflow.com/questions/2669690/why-does-google-prepend-while1-to-their-json-responses – Antoine Trouve May 04 '18 at 21:15

0 Answers0