Empty "for" loop in Facebook ajax

While surfing facebook and using the Firebug network debugger I noticed that facebook's AJAX responses all start with an empty for loop. Example: for(;;);{...} Does anyone know why this is done? I assume it's to prevent some sort of XSS attack but I don't totally understand. Thanks! Like google's while(1); it done for preventing of including this in <script> with f

在Facebook ajax中为空“循环”

在浏览Facebook和使用Firebug网络调试器时,我注意到Facebook的AJAX响应都以空循环开始。 例: for(;;);{...} 有谁知道为什么这样做? 我认为这是为了防止某种XSS攻击,但我不完全明白。 谢谢! 像谷歌的 while(1); 它是为了防止在<script>中进一步使用这些数据而包含它

JSON unparseable cruft: Why so serious?

After reading this question as to why google/facebook etc. add unparseable cruft like: while(1); for(;;); &&&START&&& ... &&&END&&& 1 and 3 combined to their JSON responses, I have understood the motivation. But I am still not clear as to why such relatively complex mechanisms are used, when similar effects could be achieved with things l

JSON不可解析的cruft:为什么这么认真?

在阅读这个问题后,为什么谷歌/ Facebook等添加不可解析的cruft像: while(1); for(;;); &&&START&&& ... &&&END&&& 1和3合并 对他们的JSON回应,我已经理解了动机。 但我仍然不清楚为什么会使用这种相对复杂的机制,而类似的效果可以通过类似的方式实现 添加一个额外的)在开始时渲染整个行无效,并出现语法错误 在评论中包装JSON 现在,似乎这增加了对无限循

Why is there a for(;;); preamble in facebooks JSON responses?

This question already has an answer here: Why does Google prepend while(1); to their JSON responses? 6 answers See this StackOverflow post: How to restrict JSON access? In particular this comment within that thread: for/while loops in JSON responses Basically this is used so that attackers can't get the URL and include it on their page and have JavaScript now put the variables on th

为什么有一个for(;;); 序言在Facebook的JSON响应?

这个问题在这里已经有了答案: 为什么Google会在(1); 到他们的JSON响应? 6个答案 看到这个StackOverflow后:如何限制JSON访问? 特别是该线程中的这个注释:for / while循环在JSON响应中 基本上这被用来使得攻击者不能获得URL并将其包含在他们的页面上,并且现在JavaScript已经将变量放在页面上,因为一旦请求被服务,浏览器将进入无限循环而不允许其他JavaScrip访问所述变量,这些变量可能会允许攻击者使用您的浏

Is it possible to do 'JSON hijacking' on modern browser?

This question already has an answer here: Is JSON Hijacking still an issue in modern browsers? 1 answer It's not about the legitimate application parsing the json - json hijacking is an information disclosure issue about some malicious party requesting your json data instead of the real application while the user is logged into the application that uses the api usually. Simple authentic

现代浏览器可以做'JSON劫持'吗?

这个问题在这里已经有了答案: JSON劫持在现代浏览器中仍然是个问题吗? 1个答案 这不是关于解析json的合法应用程序 - json劫持是一个信息泄露问题,涉及某些恶意方请求您的json数据,而不是真正的应用程序,而用户通常会登录到使用api的应用程序。 简单身份验证无助于 - 因为浏览器免费发送auth信息,例如auth-cookie: - /。 但对于ES5,大多数当前的浏览器不会再受到这个问题的直接影响。 尽管如此,深入的防守规

JSONP inner workings with AJAX

This question already has an answer here: What is JSONP all about? [duplicate] 7 answers It works exactly the way you thought it should: It adds an async script tag into head , and immediately removes it after calling the callback function. Update Only to inform, I was using the JSONP flickr API in the example above: setTimeout(function() { $.getJSON('http://api.flickr.com/services/

JSONP内部工作与AJAX

这个问题在这里已经有了答案: 什么是JSONP? [复制] 7个答案 它的工作原理与您认为的一致: 它向head添加一个异步script标记,并在调用回调函数后立即将其删除。 更新 只是通知,我在上面的例子中使用了JSONP flickr API: setTimeout(function() { $.getJSON('http://api.flickr.com/services/feeds/photos_public.gne?jsoncallback=?', { tags: 'jquery', tagmode: 'any', format: 'json'

Refused to execute script on jsonp request

This question already has an answer here: What is JSONP all about? [duplicate] 7 answers In PHP, set before the echo header('Content-Type: application/json'); And your PHP doesn't have any callback (you're not returning JSONP). You want it to look something like.. echo $_GET['callback'].'('.json_encode($arr).')'; Edited I missed the absolute obvious. JSONP is for cross site A

拒绝在jsonp请求上执行脚本

这个问题在这里已经有了答案: 什么是JSONP? [复制] 7个答案 在PHP中,在echo之前设置 header('Content-Type: application/json'); 而你的PHP没有任何回调(你没有返回JSONP)。 你希望它看起来像.. echo $_GET['callback'].'('.json_encode($arr).')'; 编辑 我错过了绝对的明显。 JSONP用于跨站点AJAX调用。 您将它用作脚本。 这是加载数据的一种非常尴尬的方式。 正常的方法是通过脚本中的AJAX调用加载数据

Use jQuery.getJson to get Web API

This question already has an answer here: What is JSONP all about? [duplicate] 7 answers You need enable CORS in you WebAPI. Firstly, install this Nuget - https://www.nuget.org/packages/Microsoft.AspNet.WebApi.Cors and then add this line to WebApiConfig: config.EnableCors(new EnableCorsAttribute("*","*","*")); WebApiConfig: public static class WebApiConfig { public static void Regist

使用jQuery.getJson获取Web API

这个问题在这里已经有了答案: 什么是JSONP? [复制] 7个答案 您需要在您的WebAPI中启用CORS。 首先,安装此Nuget - https://www.nuget.org/packages/Microsoft.AspNet.WebApi.Cors,然后将此行添加到WebApiConfig: config.EnableCors(new EnableCorsAttribute("*","*","*")); WebApiConfig: public static class WebApiConfig { public static void Register(HttpConfiguration config) { config.

Angular 2 JSONP, injected script did not invoke callback

This question already has an answer here: What is JSONP all about? [duplicate] 7 answers Your code assumes that your server application uses the callback parameter in the returned payload. Your server could use another parameter like c . The content of this parameter is used to generated a response payload like below: __ng_jsonp__.__req0.finished({ ... }) Otherwise, the callback won'

Angular 2 JSONP,注入脚本没有调用回调

这个问题在这里已经有了答案: 什么是JSONP? [复制] 7个答案 您的代码假定您的服务器应用程序在返回的有效内容中使用callback参数。 您的服务器可以使用另一个参数,如c 。 该参数的内容用于生成如下所示的响应负载: __ng_jsonp__.__req0.finished({ ... }) 否则,回调将不会在Angular 2中调用(您的情况)。

P & how do you pronounce it?

Possible Duplicate: Please explain JSONP Related question: Explanation and usage of JSONP. I know what JSON is but what is JSON-P? How do you pronounce JSON-P? JSONP or "JSON with padding" It helps grabbing JSON from external domains. It's all about a cleaner way to get data objects (and other things) from the external domain. Its a workaround for cross domain JavaScri

P&你如何发音?

可能重复: 请解释JSONP 相关问题:JSONP的解释和用法。 我知道什么是JSON,但什么是JSON-P? 你如何发音JSON-P? JSONP或“填充JSON” 它有助于从外部域抓取JSON。 这完全是关于从外部域获取数据对象(和其他东西)的更简洁的方式。 它是跨域JavaScript问题的解决方法。 也支持jQuery。 技术细节 我如何发音? Jayson Pee。 JSON-P =使用填充的JSON http://ajaxian.com/archives/jsonp-json-with-padding

How to make cross domain request

This question already has an answer here: What is JSONP all about? [duplicate] 7 answers You can make cross domain requests using the XMLHttpRequest object. This is done using something called "Cross Origin Resource Sharing". See: http://en.wikipedia.org/wiki/Cross-origin_resource_sharing Very simply put, when the request is made to the server the server can respond with a Acce

如何制作跨域请求

这个问题在这里已经有了答案: 什么是JSONP? [复制] 7个答案 您可以使用XMLHttpRequest对象进行跨域请求。 这是使用称为“跨源资源共享”的东西完成的。 请参阅:http://en.wikipedia.org/wiki/Cross-origin_resource_sharing 简而言之,当向服务器发出请求时,服务器可以使用Access-Control-Allow-Origin标头进行响应,该标头将允许或拒绝该请求。 浏览器需要检查这个标题,如果允许的话,它会继续执行请求过程。 如