2

Possible Duplicate:
Why have “while(1);” in XmlHttpRequest response?

If you take a peek at the XHR POST requests that Gmail makes to the server when it updates the list of your email, you will see that each response starts with:

while(1);

[[["v","CKbPYpt__Vc.en.","8","d7634f09ff9e61c8"]
,["di",342]
,["ub",[["^i",1296218266987]
,["^f",1296218266987]
(...)

Why does Google start each response with endless loop?

I read that it is a security trick http://my.opera.com/hallvors/blog/show.dml/260127 but I am not sure how it is supposed to be a good security measure.

Community
  • 1
  • 1
warpech
  • 5,898
  • 4
  • 29
  • 32

1 Answers1

2

Taking a guess... So that any malicious attempt to eval the response or point a <script> block at the resource, rather than parsing it properly, will fail.

LukeH
  • 242,140
  • 52
  • 350
  • 400
  • 1
    but I can simply remove "while(1) with string replace before eval, so no big difference – warpech Jan 28 '11 at 12:57
  • 2
    @warpech: But you can't (generally) do a cross-site XmlHttpRequest and then pre-parse before passing to `eval`. Pulling that response cross-site would require a ` – LukeH Jan 28 '11 at 13:01
  • No, if you can't do a XHR request on this URL you will not be able to get the raw data. – Arnaud Le Blanc Jan 28 '11 at 13:02
  • I understand now... The way to understand this JSON response would be to put it into – warpech Jan 28 '11 at 13:09