javascript ajax post json – Why does Google prepend while(1); to their JSON responses?

Why does Google perpend while(1) to their (private JSON) responses?

Here’s an example of a Google Calendar response when you turn a calendar on or off:

while (1);
  ['u', [
    ['smsSentFlag', 'false'],
    ['hideInvitations', 'false'],
    ['remindOnRespondedEventsOnly', 'true'],
    ['hideInvitations_remindOnRespondedEventsOnly', 'false_true'],
    ['Calendar ID stripped for privacy', 'false'],
    ['smsVerifiedFlag', 'true']

JavaScript does not recognize a valid JSON object that isn’t enclosed by any other objects.

// SyntaxError: Unexpected token :

However, this is valid JSON

// Object {foo: "bar"}

JSON Hijacking is a similar attack to Cross-Site Request Forgery. An attacker can gain cross-domain sensitive JSON information from applications that return sensitive data in array literals to GET queries. Below is an example of a JSON-based call that returns an array literal.


Step 1: Allow an authenticated user access a malicious webpage. Step 2: The malicious webpage will attempt to access sensitive data from an application the user is currently logged into. You can embed a script tag into an HTML page to accomplish this, since script tags are not subject to the same-origin policy.

<script src="http://<jsonsite>/json_server.php"></script>

secrets =secrets.concat(" ", obj);


The <script> tag is exempted form the Same Origin Policy. This is a security requirement in the web world. while(1) when added to a JSON response prevents misuse in the <script> tag.

How Lack of Rest Can Impact Your Finances Small Businesses Can Enhance File Management Following these Tips How Much Do Real Estate Agents Spend on Marketing? How to Engage Your Online Audience for Long-Lasting Success Why is Plagiarism Such a Big Deal? Resume Service Review: Why Everyone Should Use It