15 Sep 2008

Basic Api Protection

Google uses a simple (but probably effective) method to prevent cross-domain API access by adding a while (1) loop to any data sent over Javascript.

If this call is made from the google.com domain via XMLHttpRequest, the while (1) can be stripped out to get the data. But if cross domain access is attempted via the script tag, then it send the browser into an infinite loop, preventing the data from being used.