Hacker News new | comments | show | ask | jobs | submit login

I wondered the same thing years ago. I always thought that browsers would have implemented other security measures so that websites avoid doing this.

Around 90 something percent of websites I visit don't implement that `for(;;)` or `while(1)` solution.

So are we saying that they're vulnerable sites?




No, they’re not vulnerable; browsers fixed this bug a long time ago.


>So are we saying that they're vulnerable sites?

We are saying that they're vulnerable for THAT particular issue (the JSON hijacking), and that is only if they don't already have some other way of dealing with it.


> So are we saying that they're vulnerable sites?

Not necessarily, if all their API responses are top-level JSON objects.


The root object has to be an array I believe.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: