Why does Google prepend while(1); to their JSON responses?

I think it&#x27;s important to note that this is a bug that effects older browsers only. Modern IE, Chrome, and Firefox have security measures that do not allow scripts to capture values passed to constructors of a literal. That way, this hack is only needed for older browsers and will hopefully not be needed at all in the future. For more info: <a href="http://stackoverflow.com/a/16880162/372767" rel="nofollow">http:&#x2F;&#x2F;stackoverflow.com&#x2F;a&#x2F;16880162&#x2F;372767</a><p>Also note that this attack, JSON Hijacking, is <i>different</i> than a CSRF (Cross Site Request Forgery) and has little to do with CSRF tokens.

There is a long discussion about this at<p><a href="https://news.ycombinator.com/item?id=5168121" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=5168121</a><p>(from about a year ago)

Chrome DevTools recognice while(1) and for(;;) in the network tab (JSON preview). Sadly, Firebug still doesn&#x27;t know how to handle this and shows no JSON preview :(

Does anyone know what browsers allow you to override the Array constructor? I was under the impression that modern browsers don&#x27;t.

A good description: <a href="http://stackoverflow.com/questions/6339790/what-does-a-ajax-call-response-like-for-json-data-mean" rel="nofollow">http:&#x2F;&#x2F;stackoverflow.com&#x2F;questions&#x2F;6339790&#x2F;what-does-a-ajax-...</a><p>The idea: you need such workaround only if you return JSON Array.<p>Most of the API returns JSON Object in which case the attack does not work, it will result in syntax error.

After seeing this I went to see if AngularJS had anything built in to mitigate JSON hijacking and they do. It will strip &quot;)]}&#x27;,\n&quot; off of json responses if included from the server.<p><a href="http://docs.angularjs.org/api/ng.$http#description_security-considerations" rel="nofollow">http:&#x2F;&#x2F;docs.angularjs.org&#x2F;api&#x2F;ng.$http#description_security-...</a>

So does this solve the problem with using remote JS templates (advocated by DHH and 37s), what was outlined here [1]?<p>[1]: <a href="https://github.com/jcoglan/unsafe_sjr/blob/master/README.md" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jcoglan&#x2F;unsafe_sjr&#x2F;blob&#x2F;master&#x2F;README.md</a>

Would introducing a syntax error into my JSON help prevent CSRF attacks? We don&#x27;t use JSONP.

Is it correct to use the Content-Type application&#x2F;json on this? IMO: not.<p>(I&#x27;ve just tested Firefox network view and it breaks the response display with syntax error -- there should be an option to select the format).

It looks like modern Chrome doesn&#x27;t trigger setters when constructing from literals, so that&#x27;s encouraging. <a href="http://jsfiddle.net/KY4Sa/" rel="nofollow">http:&#x2F;&#x2F;jsfiddle.net&#x2F;KY4Sa&#x2F;</a>

Google is wrong IMO: there is no need to have such workaround. In rails we had similar problem <a href="https://community.rapid7.com/community/metasploit/blog/2013/12/29/remote-js--an-insecure-pattern-in-rails-code" rel="nofollow">https:&#x2F;&#x2F;community.rapid7.com&#x2F;community&#x2F;metasploit&#x2F;blog&#x2F;2013&#x2F;...</a> and fixed it by adding request.xhr? check on server side.<p>while(1) is ugly solution to currently non-existing problem.

What happens when you visit a malicious website and your computer gets stuck on `while(1)`? Syntax error would be better?

Why doesn&#x27;t this prevent CSRF?

Facebook uses &quot;for(;;);&quot; as it&#x27;s one char shorter.

It&#x27;s the bot.

Smart!