Is it correct if this was in response from an ajax call?
This is one of the strategies used to avoid XSS when dynamically adding scripts containing user-specific content.
If it werenβt, the [evil] page could request this script inside a regular script tag and have access to the methods and objects defined by it.
, script Facebook xhr, , , . {"t":"refresh"}.
A script .