TL; DR
Yes, it is to avoid a very specific type of attack based on Json requests in different domains.
One type of attack
According to an article from You've Been Haacked , one of the attacks in this category can be classified as a combination between cross-site request forgery or XSRF and some loopholes in old browsers that allowed malicious scripts read all or part of the content returned from JSON requests to other domains.
XSRF is briefly when a malicious script makes requests to a remote server (Facebook, in this case) using the user's credentials to act on behalf of the user or to obtain sensitive data.
How the attack works
The idea is basically the following:
User authenticates with Facebook
The user accesses a malicious website
A script on the malicious website uses a <script>
tag to make a GET
request to the Facebook web service that returns a JSON
The malicious script can circumvent browser security and retrieve the data returned from the request to Facebook
Example implementation of the attack
Extracted from the above site, consider the following example:
<script type="text/javascript">
var secrets;
Array = function() {
secrets = this;
};
<script src="http://haacked.com/demos/secret-info.json"type="text/javascript">
<script type="text/javascript">
var yourData = '';
var i = -1;
while(secrets[++i]) {
yourData += secrets[i] + ' ';
}
alert('I stole your data: ' + yourData);
</script>
In some older browsers, the above code causes the secrets
variable to receive the values of any new Array
created after the initial snippet execution. This is a rebuild of the constructor.
Next, the <script>
tag requests the other server, and if there is a Array
in the returned JSON, the data will be captured.
Conclusion
Even though modern browsers make it very difficult to capture data on such request types, the infinite for
loop causes the malicious script to have no chance of doing anything with possible data that could be obtained in web calls services using <script>
tags.
So it's an added element in security.