Hacker News new | ask | show | jobs
by westoque 3331 days ago
I wondered the same thing years ago. I always thought that browsers would have implemented other security measures so that websites avoid doing this.

Around 90 something percent of websites I visit don't implement that `for(;;)` or `while(1)` solution.

So are we saying that they're vulnerable sites?
4 comments
minitech 3331 days ago
No, they’re not vulnerable; browsers fixed this bug a long time ago.
link
coldtea 3331 days ago
>So are we saying that they're vulnerable sites?

We are saying that they're vulnerable for THAT particular issue (the JSON hijacking), and that is only if they don't already have some other way of dealing with it.

link
raulk 3331 days ago
> So are we saying that they're vulnerable sites?

Not necessarily, if all their API responses are top-level JSON objects.

link
Lxr 3331 days ago
The root object has to be an array I believe.
link