Why does Google add while (1); to your JSON responses?

This avoids CSRF / XSRF attacks ( cross-site request forgery ).

Consider the following example: let's say Google has a URL like gmail.com/json?action=inbox gmail.com/json?action=inbox , which returns the first 50 messages in your mailbox in JSON format. An attacker whose site is located on another domain cannot execute an AJAX request by contacting this URL in order to obtain data, due to the same origin policy ( domain restriction rule ). But nothing prevents an attacker from including the above URL on his page using the tag .

URL , gmail.com. array , ( ), JSON.

while(1); &&&BLAH&&& . Gmail.com AJAX- . JavaScript - , , ( while(1); ) ( &&&BLAH&&& ).

[ ]

UPD:
d00kie :

— JSON Hijacking, 2007/2008 . , «» , « », . , , , Array() «» ( 2007 ):

Object.prototype.__defineSetter__('Id', function(obj){alert(obj);});

>3.0.11…
.