GMail’s while(1) demystified

For a long time I've been wondering why GMail tends to add


to the top of their scripts when they send for example contact lists or E-mail texts embedded in JavaScript. Typically these scripts are requested with XMLHttpRequest and the first line is removed before the rest of the script is sent to eval(). If they didn't remove the while(1) it would of course create a never-ending loop, hang the page and perhaps even the browser. So why do they add it in the first place?

Today the penny dropped: it's a subtle security feature. If I on my evil home page added a script and set the source to a suitable GMail URL I might manage to make GMail send ME your contact list. However, if I manage I won't actually get to the data, I will simply hang your browser in the while loop.

Clever. But I wonder how much security it actually adds..?


One thought on “GMail’s while(1) demystified

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s