0

I was watching the Network Monitor on Chrome's developer tool seeing how Facebook updates content throughout their news feed.

All of the responses from AJAX begin with the following:

for (;;);{"__ar":1,"payload":[]}

What is the for(;;); piece doing?

Is this part of their custom JS framework? Or is this native and just something I am unfamiliar with?

It seems to be loading as a json object when I preview it.

Atticus
  • 6,255
  • 9
  • 30
  • 56
  • Answered here: http://stackoverflow.com/questions/6339790/what-does-ajax-call-response-like-for-json-data-mean – Ken Redler Sep 27 '11 at 04:55

2 Answers2

2

It appears to be a lame attempt at content protection (DRM). The for() loop is basically infinite. The intention appears to be that anyone sourcing their AJAX request with javascript naively will end up with code that hangs because of the infinite loop.

The for() loop would also generate errors for standard JSON parsers like those found in jQuery or YUI or even from JSON.org. To consume the request you need to write your own parser or first remove the for() loop from the request.

Which is why I said this looks lame. Because it isn't difficult to remove the for() loop from the string with a bit of code.

slebetman
  • 93,070
  • 18
  • 116
  • 145
  • so this is a security measure? – Atticus Sep 27 '11 at 04:55
  • Since it's being returned as a string.. the loop isnt ever reached unless the string is attempted to be excuted somewhow.. so couldnt you just replace the for(;;) with an empty string using a native string replace method? – Atticus Sep 27 '11 at 04:57
  • Notice I said `anyone sourcing their AJAX request with javascript naively`. I assumed everyone understood that naive programmers use `eval()` to parse JSON. (even Crockford agreed that it is one of the few appropriate use of `eval` provided the string is first tested for errors). – slebetman Sep 27 '11 at 06:11
1

It's not really content protection per se; as has been noted, it is trivial to work around it. The likely purpose is to "break" apps that simply take the string and feed it to a javascript eval() function. That approach was once quite common, and still can be found more often than you would think. I suspect there are quite a few programmers out there who think that is actually the proper way to parse a JSON string into javascript variables. Adding the for-loop to the beginning of the string loosely enforces a parse-instead-of-eval rule. Of course it's still trivial to work around it if the programmer is dead set on using eval. I would say it's meant more as a broken-code detector that will force old (and lazy) coding to be corrected.

Floyd Wilburn
  • 1,852
  • 2
  • 13
  • 6
  • And the reason why Facebook wants to `break` such apps: content protection. Breaking the app is the mechanism, content protection is the intention. We are really saying the same things differently. – slebetman Sep 27 '11 at 06:13
  • Well there's nothing to stop someone who knows what they're doing from parsing the return correctly, as mentioned above this is likely to stop coders from doing en eval() on the return value of the AJAX endpoint – Igy Sep 27 '11 at 09:31