JSON/JSONP how to use for(;;); in the respose body

Question

I can't seem to figure out a way to ignore the for(;;); in the response body of my cross domain JSONP requests. I am doing this on my own servers, nothing else going on here. I am trying to include that for(;;); inside the response body of my callback as such:

_callbacks_.callback(for(;;);[jsondata....]);

but how can I remove it from the response body before the JS code gets parsed? I am using the Google Closure Library btw.

Answer 1

Ok I think I figured it out. The reason why the for(;;); is there is to prevent cross-domain data requests of certain information. So basically if you have information you are trying to protect you go through a normal Ajax JSON channel and if you are storing data on multiple servers you deal with it on server level.

JSONP requests are actually a remote script inclusion, which means whatever the server outputs is actual Javascript code, so if you have a for(;;); before your _callbacks_.callback(); the code will be executed on the origin domain on request success. If it's an infinite for loop, it will obviously jam the page.

So the normal implementation method is the following:

1. Send a normal Ajax request to a file located on the same server.
2. Perform the server level stuff and send requests to external servers via encrypted CURL.
3. Add security to the server response(a for(;;); or while(1); or throw(1); followed by a <prevent eval statements> string.
4. Get the response as a text string.
5. Remove your security implementations from the string. Convert the string(which is now a "JSON string") to a JS Object/Array etc with a standard JSON parser.
6. Do whatever you want to do with the data.

Just thought I should put this out here in case someone else will Google it in the future, as I didn't find proper information by Google-ing. This should help prevent cross domain request forgery.