It prevents disclosure of the response through JSON hijacking.

In theory, the content of HTTP responses are protected by the Same Origin Policy: pages from one domain cannot get any informations from pages on an other domain (unless explicitly allowed).

An attacker can request pages on other domains on your behalf, e.g. by using a

Thus, if you visit an attacker’s page, it couldn’t read your email from gmail.com.

Except that when using a script tag to request JSON content, the JSON is executed as Javascript in an attacker’s controlled environment. If the attacker can replace the Array or Object constructor or some other method used during object construction, anything in the JSON would pass through the attacker’s code, and be disclosed.

Note that this happens at the time the JSON is executed as Javascript, not at the time it’s parsed.

There are multiple counter measures:

Making sure the JSON never executes

By placing a while(1); statement before the JSON data, Google makes sure that the JSON data is never executed as Javascript.

Only a legitimate page could actually get the whole content, strip the while(1); , and parse the remainder as JSON.

Making sure the JSON is not valid Javascript

Similarly, adding invalid tokens before the JSON, like &&&START&&&, makes sure that it is never executed.

Always return JSON with an Object on the outside

This is OWASP recommended way to protect from JSON hijacking, and is the less intrusive one.

Similarly to the the previous counter-measures, it makes sure that the JSON is never executed as Javascript.

A valid JSON object, when not enclosed by anything, is not valid in Javascript:

eval('{"foo":"bar"}')
// SyntaxError: Unexpected token :Copy the code

This is however valid JSON:

JSON.parse('{"foo":"bar"}')
// Object {foo: "bar"}Copy the code

So, making sure you always return an Object at the top level of the response makes sure that the JSON is not valid Javascript, while still being valid JSON.

Comparison of above methods

The OWASP way is less intrusive, as it needs no client library changes, and transfers valid JSON. It is unsure whether past or future browser bugs could defeat this, however. As noted by @oriadam, it is unclear whether data could be leaked through an error handling or not (e.g. window.onerror).

Google’s way requires client library in order for it to support automatic de-serialization, and can be considered to be safer with regard to browser bugs.

Both methods require server changes in order to avoid developers from accidentally sending vulnerable JSON.

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Why does Google add while(1) to the header of the data in the internally transmitted JSON?

Making sure the JSON never executes

Making sure the JSON is not valid Javascript

Always return JSON with an Object on the outside

Comparison of above methods

Why does Google add while(1) to the header of the data in the internally transmitted JSON?

Making sure the JSON never executes

Making sure the JSON is not valid Javascript

Always return JSON with an Object on the outside

Comparison of above methods

Related Posts

Drink tea at 3, leave work at 7, happy ~

Install electron with Error: EACCES: Permission denied, mkdir ‘/.

Automatic import of JS files in vuex