javascript ajax post json – Why does Google prepend while(1); to their JSON responses?

Why does Google perpend while(1) to their (private JSON) responses?

Here’s an example of a Google Calendar response when you turn a calendar on or off:

while (1);
  ['u', [
    ['smsSentFlag', 'false'],
    ['hideInvitations', 'false'],
    ['remindOnRespondedEventsOnly', 'true'],
    ['hideInvitations_remindOnRespondedEventsOnly', 'false_true'],
    ['Calendar ID stripped for privacy', 'false'],
    ['smsVerifiedFlag', 'true']

JavaScript does not recognize a valid JSON object that isn’t enclosed by any other objects.

// SyntaxError: Unexpected token :

However, this is valid JSON

// Object {foo: "bar"}

JSON Hijacking is a similar attack to Cross-Site Request Forgery. An attacker can gain cross-domain sensitive JSON information from applications that return sensitive data in array literals to GET queries. Below is an example of a JSON-based call that returns an array literal.


Step 1: Allow an authenticated user access a malicious webpage. Step 2: The malicious webpage will attempt to access sensitive data from an application the user is currently logged into. You can embed a script tag into an HTML page to accomplish this, since script tags are not subject to the same-origin policy.

<script src="http://<jsonsite>/json_server.php"></script>

secrets =secrets.concat(" ", obj);


The <script> tag is exempted form the Same Origin Policy. This is a security requirement in the web world. while(1) when added to a JSON response prevents misuse in the <script> tag.