Question
Why do some Google private JSON responses begin with while (1);?
For example, when toggling a calendar setting in Google Calendar, the response may look like this:
while (1);
[
['u', [
['smsSentFlag', 'false'],
['hideInvitations', 'false'],
['remindOnRespondedEventsOnly', 'true'],
['hideInvitations_remindOnRespondedEventsOnly', 'false_true'],
['Calendar ID stripped for privacy', 'false'],
['smsVerifiedFlag', 'true']
]]
]
It seems like this might be done to stop developers from calling eval() directly on the response, since the response is no longer valid JavaScript data by itself. However, someone could still manually remove the prefix.
I have also seen similar prefixes such as &&&START&&&, and in some cases both while(1); and &&&START&&& together.
What is the purpose of these prefixes, and what problem are they trying to solve?
Short Answer
By the end of this page, you will understand why some web applications prepend strings like while(1); to JSON responses, what JSON hijacking is, why this was historically important in JavaScript applications, and what safer modern alternatives are commonly used today.
Concept
The core idea
Prefixes like while(1); are a defensive trick added before JSON responses so the response is not directly executable as JavaScript.
This was mainly used to reduce the risk of a class of attacks often called JSON hijacking or cross-site script inclusion attacks.
Why this mattered
In older web applications, some endpoints returned sensitive data as raw JSON, often arrays or objects. If that JSON could be loaded in a <script> tag from another site, the browser might execute it as JavaScript in a way that exposed private data.
For example, if an authenticated user visited a malicious site, that site might try to load a private JSON endpoint from another domain:
<script src="https://example.com/private-data"></script>
If the response was valid executable JavaScript, the attacker could sometimes abuse that behavior.
What while(1); does
This prefix makes the response invalid as plain JSON and also useless when treated as a script:
while (1);
[{"secret":"data"}]
If a browser tries to execute that as JavaScript, it gets stuck in an infinite loop before reaching the data. That means the payload cannot be meaningfully consumed through script inclusion.
Mental Model
Think of the JSON response as a package being shipped.
- A normal JSON response is like a package with the contents immediately visible.
- A prefixed response adds a tamper seal on top.
- The official client knows how to remove the seal first.
- A browser blindly executing it as a script trips over the seal and cannot use the contents directly.
while(1); is an extreme kind of seal: if you try to "run" the package as code, you never get past the first line.
So the prefix is not meant to make the data impossible to read forever. It is meant to stop the browser from accidentally treating private data as executable script in the wrong context.
Syntax and Examples
Basic pattern
A server may return something like this:
while (1);
{"name":"Alice","role":"admin"}
That is not valid JSON because of the extra prefix.
A trusted client can remove the prefix and then parse the rest.
Example in JavaScript
const responseText = 'while (1);{"name":"Alice","role":"admin"}';
const cleaned = responseText.replace(/^while \(1\);/, '');
const data = JSON.parse(cleaned);
console.log(data.name); // Alice
Another common prefix
const responseText = ")]}',\n{"ok":true}";
const cleaned = responseText.replace(/^\)\]\}',\n/, '');
const data = JSON.(cleaned);
Step by Step Execution
Example response
while (1);
["red", "green", "blue"]
Client-side processing
const responseText = 'while (1);["red", "green", "blue"]';
const cleaned = responseText.replace(/^while \(1\);/, '');
const colors = JSON.parse(cleaned);
console.log(colors[1]);
Step by step
1. The server sends text
The client receives this exact string:
while (1);["red", "green", "blue"]
2. The prefix is removed
This line removes the anti-execution prefix:
const cleaned = responseText.replace(/^while \(1\);/, );
Real World Use Cases
1. Private web app endpoints
Large JavaScript applications such as mail, calendar, and admin dashboards often had internal endpoints returning structured data. Prefixes were used so those endpoints could not be safely included as scripts from another origin.
2. Protecting authenticated GET responses
If a browser automatically sent cookies with a request, a malicious site might try to load a user's private data through a <script> tag. Prefixing the response reduced that risk.
3. Legacy AJAX applications
Before modern browser security features became standard, many applications used custom response formats and defensive prefixes as an extra layer of protection.
4. Internal APIs with custom clients
Some apps controlled both server and client code. That made it practical to add a prefix server-side and remove it client-side before parsing.
5. Defensive parsing conventions
Even today, some systems add a non-JSON prefix like )]}', to ensure the client explicitly recognizes and parses the payload rather than accidentally executing it.
Real Codebase Usage
Common patterns in real projects
Explicit response normalization
Developers often create a small utility that removes known prefixes before parsing:
function parseSafeJson(text) {
const cleaned = text
.replace(/^while \(1\);/, '')
.replace(/^for \(;;\);/, '')
.replace(/^\)\]\}',?\n/, '');
return JSON.parse(cleaned);
}
This keeps the parsing logic in one place.
Guard clauses
A parser may first verify that the payload begins with an expected prefix or valid JSON token:
function parseGoogleStyleResponse(text) {
if (text.startsWith('while (1);')) {
text = text.slice('while (1);'.length);
}
return JSON.parse(text);
}
Validation before parsing
Common Mistakes
1. Treating prefixed JSON as normal JSON
This will fail because the response contains extra characters before the JSON.
Broken code:
const text = 'while (1);{"ok":true}';
JSON.parse(text); // Error
Fix:
const cleaned = text.replace(/^while \(1\);/, '');
JSON.parse(cleaned);
2. Using eval() to parse the response
Broken code:
const data = eval(text);
Why it is wrong:
- executes code instead of parsing data
- unsafe for untrusted input
- unnecessary in modern JavaScript
Fix:
const data = JSON.parse(cleaned);
3. Removing the prefix too loosely
If you do a generic replace, you may accidentally modify valid content later in the string.
Comparisons
Related approaches
| Approach | What it does | Main purpose | Still common? |
|---|---|---|---|
| Raw JSON | Returns plain JSON directly | Simple API responses | Yes |
while(1); prefix | Makes response non-JSON and non-useful as script | Mitigate JSON hijacking | Mostly legacy |
for(;;); prefix | Same idea as while(1); | Mitigate script inclusion abuse | Mostly legacy |
)]}', prefix | Breaks JavaScript parsing and signals custom parsing | XSSI protection | Still seen sometimes |
&&&START&&& prefix |
Cheat Sheet
Quick reference
What is while(1); before JSON?
A defensive prefix added before a JSON payload so the response is not directly executable as JavaScript.
Why was it used?
Mostly to reduce the risk of JSON hijacking or cross-site script inclusion attacks in older web apps.
What should a client do?
- Remove the known prefix
- Parse the remaining text with
JSON.parse()
Example
const cleaned = text.replace(/^while \(1\);/, '');
const data = JSON.parse(cleaned);
Common prefixes
while (1);
for (;;);
)]}',
&&&START&&&
Do not do this
eval(text)
Important rule
A prefix is an extra defense, not a replacement for:
FAQ
Why does while(1); stop the response from being used as a script?
Because it starts an infinite loop immediately, so the rest of the response is never usefully executed when treated as JavaScript.
Is while(1); valid JSON?
No. It makes the response invalid as raw JSON until the prefix is removed.
Was this mainly about stopping eval()?
Not primarily. It was mainly a defense against browsers loading private JSON endpoints as scripts from another site.
Why could a normal client still use the response?
Because the intended client knows to remove the prefix first and then parse the remaining JSON.
What is JSON hijacking?
It is a class of attacks where a malicious site tries to exploit how browsers handle script loading to access sensitive JSON from another origin.
Why do some services use )]}', instead?
It serves a similar purpose: making the response invalid or non-executable until the client explicitly strips the prefix.
Is this still needed in modern APIs?
Usually not as a primary defense. Modern APIs more commonly rely on CORS, CSRF protection, secure cookies, and token-based authentication.
Should I add while(1); to my own API?
Usually no, unless you are maintaining a legacy client/server contract. For new APIs, plain JSON plus proper security controls is typically better.
Mini Project
Description
Build a small JavaScript parser that accepts server responses containing anti-execution prefixes such as while(1); or )]}', and safely converts them into usable JavaScript data. This mirrors the kind of compatibility code developers write when integrating with legacy or private endpoints.
Goal
Create a function that strips known prefixes and safely parses the remaining JSON using JSON.parse().
Requirements
- Write a function that accepts a response string.
- Remove at least two known protective prefixes if they appear at the start.
- Parse the cleaned text as JSON.
- Return the parsed result.
- Handle invalid input without using
eval().
Keep learning
Related questions
Deep Cloning Objects in JavaScript: Methods, Trade-offs, and Best Practices
Learn how to deep clone objects in JavaScript, compare structuredClone, JSON methods, and recursive approaches with examples.
Get Screen, Page, and Browser Window Size in JavaScript
Learn how to get screen size, viewport size, page size, and scroll position in JavaScript across major browsers with clear examples.
How JavaScript Closures Work: A Beginner-Friendly Guide
Learn how JavaScript closures work with simple explanations, examples, common mistakes, and practical use cases for real code.