It is well known that Facebook uses javascript responses (JS,not json) which is prefixes with while(1) & for(;;); in order to prevent script tag to steal the json data when old browsers are being overloaded with their Array ctor & Object ctor.
But from a recent try , it seems that this is not the case anymore (for friends list , which i'm sure it was used)
Notice that now , the content-type is :
content-type: application/octet-stream
But why did they do it ? is it now safe ? ( I know that it's for older browsers , but still...).
I know that [..]'s ctor was problematic. But what about {..}'s ctor ?
Question:
Why did facebook remove the infinite-loop ? and how do they now mitigate against json hijacking ?
I mean , what happens now if <script> tag will try to fetch the "getFiriends "list ? ( in a very old browser)
NB
Worth to mention that there are still others responses with infinite loop for {..} !! :
Also in here ( Object , with infinite loop)
from Is facebook suddenly safe against JSON hijacking?
No comments:
Post a Comment