5

Possible Duplicate:
Why have “while(1);” in XmlHttpRequest response?
What does while(1) in Gmail do

I've recently stumbled upon the practice of prepending the AJAX-returned data with while (1==1) {} to offer some greater security against CSRF attacks, but I fail to see how that code can be useful. Could someone explain, please?

Community
  • 1
  • 1
Fluffy
  • 24,946
  • 33
  • 140
  • 221
  • 1
    http://stackoverflow.com/questions/4828413/what-does-while1-in-gmail-do, http://stackoverflow.com/questions/871505/why-have-while1-in-xmlhttprequest-response – RightSaidFred Dec 08 '11 at 18:50
  • @RightSaidFred: You can vote to close duplicate questions instead of just linking them. – derobert Dec 08 '11 at 18:57
  • Damn, I honestly have searched for this before posting. Is indeed a duplicate, but I can't delete it for some reason – Fluffy Dec 08 '11 at 19:03

1 Answers1

5

A remote site trying to execute a CSRF attack would need to load the data with a JSONP call. (injecting a script block in the page) If you would try to make a JSONP call and the script you get injected into your webpage the javascript vm would time out unable to load the data (because of the while loop). So the attacker won`t be able to see the data.

This ensures that only clients that match the same origin policy (loading the data via normal ajax call) can use the data, thus preventing any attacker from accessing the data from a remote site.

Daniel Kurka
  • 7,927
  • 2
  • 22
  • 43