“Anti-XSS protection” by adding )]}' before ajax response

Question

Google plus returns ajax requests with )]}\' on first line. I heard it is protection against XSS. Are there any examples what and how could anyone do with this with

Answer 1

As others said, it's a protection against Cross Site Script Inclusion (XSSI)

We explained this on Gruyere as:

Third, you should make sure that the script is not executable. The standard way of doing this is to append some non-executable prefix to it, like ])}while(1);. A script running in the same domain can read the contents of the response and strip out the prefix, but scripts running in other domains can't.