Awesome and hilarious article. Id just like to note `for (;;);` is not to prevent users from using bad JSON parsers like `eval` but prevent older browsers with little to no cross domain policy from loading it with a script tag and doing evil XSS by overriding Array or Object constructors or prototypes to pull that data
No, CSRF (cross-site request forgery) is where a page tricks your browser into making requests to another domain in which you're already authenticated, in order to perform some kind of action. e.g. an img or script with a src "http://example.com/message.php?message=you+are+hax0red&s.... You can sometimes perform similar tricks with self-submitting hidden forms, or XHR. Quite easy to mitigate using nonces and referrer checking.
But.. that's exactly what while(1); and friends in json responses protect you against? someone overriding the Array constructor function and including your JSON resource from a <script src=…> ? So this is, in fact, CSRF?
No, CSRF isn't about pulling scripts etc from another site, it's tricking the browser into making malicious HTTP requests. So, it's not trying to grab facebook .com/someinterestingdata.json, it's trying to trick your browser into performing actions on the target domain by making it perform GET or POST requests such as sending Facebook spam. It doesn't matter what the response is, it's just interested in the action. A while(1) won't do much if it's inside an img tag or hidden iframe rather than a script tag.
