Why does Google prepend while(1); to their JSON responses?

I believe this hack (JSON Hijacking) was discovered by Jeremiah Grossman in 2005[1].<p>It&#x27;s fascinating to read how he discovered it and how quickly Google responded.<p>[1] - <a href="http:&#x2F;&#x2F;blog.jeremiahgrossman.com&#x2F;2006&#x2F;01&#x2F;advanced-web-attack-techniques-using.html" rel="nofollow">http:&#x2F;&#x2F;blog.jeremiahgrossman.com&#x2F;2006&#x2F;01&#x2F;advanced-web-attack...</a>

Why don&#x27;t browsers strip cookies when they are doing cross domain javascript fetches?

I wondered the same thing years ago. I always thought that browsers would have implemented other security measures so that websites avoid doing this.<p>Around 90 something percent of websites I visit don&#x27;t implement that `for(;;)` or `while(1)` solution.<p>So are we saying that they&#x27;re vulnerable sites?

I had a hunch that this is to prevent people from including the resource in a script tag - but I always wondered how they&#x27;d access the data as a JSON expression on its own should technically be a no-op when interpreted as JS (or so I thought).<p>The overridden array constructor was the missing link.<p>Though couldn&#x27;t you have it easier by making sure your top-level JSON structure is always an object?<p>As far as I know, while a standalone array expression []; is a valid JS statement, a standalone object expression {}; is not and would produce a syntax error.

That is one weird array in Google&#x27;s reply. Looks like it could have been an object instead, whereby JSON hijacking wouldn&#x27;t be a problem.

I feel like the browser could use the Content-Type header to check whether the response is JSON or actual executable javascript - throwing an error if the former

I haven&#x27;t worked with JSON like that before. Do JSON parsers properly ignore the stuff Google puts in, or do you have to strip it out before parsing?

Google use cookies to authenticate API requests?

Pretty sure browsers no longer permit overriding ctors for literals.

Everytime I read about such constructs, it makes me realize, as a regular developer, how complex web application security is and how difficult it is to think about and cover your application against each and every such potential problem.

FB prepends a &quot;for(;;);&quot; which is 1 char shorter than &quot;while(1);&quot;, has been the case since 2012&#x2F;13.<p>Firebug v2 and ChromeTools know how to parse such JSON and ignore that first part. (IE11 and Firefox newer DevTools can&#x27;t &quot;handle&quot; it aka show just a plain text string)

Why not &quot;while(0)&quot;? Then an eval wouldn&#x27;t do anything.

Jeez, why not live w&#x2F;o JavaScript?<p>We keep trying to accomodate a defunct language with insoluble problems. Isn&#x27;t that an error in our thinking processes?<p><a href="https:&#x2F;&#x2F;www.wired.com&#x2F;2015&#x2F;11&#x2F;i-turned-off-javascript-for-a-whole-week-and-it-was-glorious&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.wired.com&#x2F;2015&#x2F;11&#x2F;i-turned-off-javascript-for-a-...</a>