[nothrabannosir]

But.. that's exactly what while(1); and friends in json responses protect you against? someone overriding the Array constructor function and including your JSON resource from a <script src=…> ? So this is, in fact, CSRF?

[ascorbic]

No, CSRF isn't about pulling scripts etc from another site, it's tricking the browser into making malicious HTTP requests. So, it's not trying to grab facebook .com/someinterestingdata.json, it's trying to trick your browser into performing actions on the target domain by making it perform GET or POST requests such as sending Facebook spam. It doesn't matter what the response is, it's just interested in the action. A while(1) won't do much if it's inside an img tag or hidden iframe rather than a script tag.