while(1) in front of the json resposne

attacker could use <script src="http://remote.com/data.json"></script> to get the remote json data using victim's session id and get the json data using following code, modern browser won't allow this any more:

   var captured = [];
   Object.prototype.__defineSetter__('model',
       function (str) {
           captured.push(str);
       });

this is called JSON hijacking. appending while(1) in front of the json response. The attacker own't be able to get past the first line if the data is loaded using a <script> tag, because the browser will freeze while running the loop.