Possible Duplicate:
Why have “while(1);” in XmlHttpRequest response?
What does while(1) in Gmail do
I've recently stumbled upon the practice of prepending the AJAX-returned data with while (1==1) {}
to offer some greater security against CSRF attacks, but I fail to see how that code can be useful. Could someone explain, please?
A remote site trying to execute a CSRF attack would need to load the data with a JSONP call. (injecting a script block in the page) If you would try to make a JSONP call and the script you get injected into your webpage the javascript vm would time out unable to load the data (because of the while loop). So the attacker won`t be able to see the data.
This ensures that only clients that match the same origin policy (loading the data via normal ajax call) can use the data, thus preventing any attacker from accessing the data from a remote site.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With