It is well known that Facebook uses javascript responses (JS,not json) which is prefixes with while(1)
& for(;;);
in order to prevent script tag to steal the json data when old browsers are being overloaded with their Array ctor & Object ctor.
But from a recent try , it seems that this is not the case anymore (for friends list , which i'm sure it was used)
Notice that now , the content-type is :
content-type: application/octet-stream
But why did they do it ? is it now safe ? ( I know that it's for older browsers , but still...).
I know that [..]
's ctor was problematic. But what about {..}
's ctor ?
Question:
Why did facebook remove the infinite-loop ? and how do they now mitigate against json hijacking ?
I mean , what happens now if <script>
tag will try to fetch the "getFiriends "list ? ( in a very old browser)
NB
Worth to mention that there are still others responses with infinite loop for {..}
!!
:
Also in here ( Object , with infinite loop)