After reading this question as to why google/facebook etc. add unparseable cruft like:
while(1);
for(;;);
&&&START&&& ... &&&END&&&
- 1 and 3 combined
to their JSON responses, I have understood the motivation. But I am still not clear as to why such relatively complex mechanisms are used, when similar effects could be achieved with things like
- adding an extra
)
at the beginning for rendering the entire line invalid with a syntax error - wrapping the JSON in comments
Now, it seems that this added protection of an infinite loop and (weird) syntax error would be to get around older and permissive javascript parsers, but I cannot seem to find any references indicating that this is the case. There is another SO question that goes on to even diss the while(1);
workaround (stating the 1 can be clobbered) and reject another workaround of the form {}&&
, but doesn't explain why or cite any sources.
Other references:
- http://code.google.com/p/fbug/issues/detail?id=369
- http://prototypejs.org/learn/json, which suggests a wrapping the JSON in
/*-secure-\n...*/