Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does `while (1) {}` help prevent CSRF? [duplicate]

Possible Duplicate:
Why have “while(1);” in XmlHttpRequest response?
What does while(1) in Gmail do

I've recently stumbled upon the practice of prepending the AJAX-returned data with while (1==1) {} to offer some greater security against CSRF attacks, but I fail to see how that code can be useful. Could someone explain, please?

like image 461
Fluffy Avatar asked Dec 08 '11 18:12

Fluffy


1 Answers

A remote site trying to execute a CSRF attack would need to load the data with a JSONP call. (injecting a script block in the page) If you would try to make a JSONP call and the script you get injected into your webpage the javascript vm would time out unable to load the data (because of the while loop). So the attacker won`t be able to see the data.

This ensures that only clients that match the same origin policy (loading the data via normal ajax call) can use the data, thus preventing any attacker from accessing the data from a remote site.

like image 166
Daniel Kurka Avatar answered Nov 10 '22 16:11

Daniel Kurka