I was looking at some facebook XHR request. I seen that there is a

Question

0

Asked: June 5, 20262026-06-05T05:04:33+00:00 2026-06-05T05:04:33+00:00

I was looking at some facebook XHR request. I seen that there is a

0

I was looking at some facebook XHR request. I seen that there is a request that is cross domain, and the response is a JSON like:

for (;;); {/* JSON object */}

Why that response starts with a for???
I think it is related to some security reason, can someone explain me it?
Thanks

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-05T05:04:35+00:00

Editorial Team

2026-06-05T05:04:35+00:00Added an answer on June 5, 2026 at 5:04 am

This is done to protect against XSS.

If a malicious site includes that JSON URL in a <script> tag, the browser will freeze.
The actual client site can just strip the prefix; other sites cannot, because of the Same-Origin Policy.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I was looking at some facebook XHR request. I seen that there is a

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply