What does a Ajax call response like 'for (;;); { json data }' mean?

Mridul Kashatria picture Mridul Kashatria · Jun 14, 2011 · Viewed 49k times · Source

Possible Duplicate:
Why do people put code like “throw 1; <dont be evil>” and “for(;;);” in front of json responses?

I found this kind of syntax being used on Facebook for Ajax calls. I'm confused on the for (;;); part in the beginning of response. What is it used for?

This is the call and response:

GET http://0.131.channel.facebook.com/x/1476579705/51033089/false/p_1524926084=0

Response:

for (;;);{"t":"continue"}

Answer

T.J. Crowder picture T.J. Crowder · Jun 14, 2011

I suspect the primary reason it's there is control. It forces you to retrieve the data via Ajax, not via JSON-P or similar (which uses script tags, and so would fail because that for loop is infinite), and thus ensures that the Same Origin Policy kicks in. This lets them control what documents can issue calls to the API — specifically, only documents that have the same origin as that API call, or ones that Facebook specifically grants access to via CORS (on browsers that support CORS). So you have to request the data via a mechanism where the browser will enforce the SOP, and you have to know about that preface and remove it before deserializing the data.

So yeah, it's about controlling (useful) access to that data.