[willscott]

Presumably on the google website the script is loaded via an xmlhttp request which then strips the initial text and evals the rest. By added the initial throw 1; they prevent other sites from including the script, since it won't do anything.

[stanleydrew]

Indeed. See this: http://google-gruyere.appspot.com/part3#3__cross_site_script...

[SimonPStevens]

Cool site. I've never seen that before. Learn about web security by breaking it.

[verroq]

What about hackthissite.org?

[eddieplan9]

That's extremely smart. XMLHttpRequest protects you via the same origin policy. But there are other ways (such as JSONP) to load JavaScript and bypass the same origin policy. It's not like you cannot opt out of things like JSONP, but this trick adds another layer of protection and is particularly useful in fighting XSSI.

[adrianb]

If another site would really want to include the script, it could also strip the initial text. Is the purpose only to avoid people from including the script by mistake?

[mcosta]

You can't make a XHR request to another domain. You only can include it via a <script> tag and that is going to fail.

[adrianb]

Didn't know that. Thanks!

[klagan]

thanks!