javascript - Why does Google prepend while(1); to their JSON responses? -

javascript - Why does Google prepend while(1); to their JSON responses? -

why google prepend while(1); (private) json responses?

for example, here's response while turning calendar on , off in google calendar:

while(1);[['u',[['smssentflag','false'],['hideinvitations','false'], ['remindonrespondedeventsonly','true'], ['hideinvitations_remindonrespondedeventsonly','false_true'], ['calendar id stripped privacy','false'],['smsverifiedflag','true']]]]

i assume prevent people doing eval() on it, you'd have replace while , you'd set. assume eval prevention create sure people write safe json parsing code.

i've seen used in couple of other places, too, lot more google (mail, calendar, contacts, etc.) strangely enough, google docs starts &&&start&&& instead, , google contacts seems start while(1); &&&start&&&.

what's going on here?

it prevents json hijacking.

contrived example: google has url mail.google.com/json?action=inbox returns first 50 messages of inbox in json format. evil websites on other domains can't create ajax requests info due same-origin policy, can include url via <script> tag. url visited your cookies, , overriding global array constructor or accessor methods can have method called whenever object (array or hash) attribute set, allowing them read json content.

the while(1); or &&&blah&&& prevents this: ajax request @ mail.google.com have total access text content, , can strip away. <script> tag insertion blindly executes javascript without processing, resulting in either infinite loop or syntax error.

this not address issue of cross-site request forgery.

javascript ajax json