For a long time I've been wondering why GMail tends to add
Today the penny dropped: it's a subtle security feature. If I on my evil home page added a script and set the source to a suitable GMail URL I might manage to make GMail send ME your contact list. However, if I manage I won't actually get to the data, I will simply hang your browser in the while loop.
Clever. But I wonder how much security it actually adds..?