we are looking at using the unparseable curft approach to our json as an extra level of security.

In looking at the approaches, I've come across google's while(1); and facebook's for(;;); and then another mention of {}&&

I've seen comments surrounding the while(1); that say the 1 being numeric can get clobbered, so my approach was going to be the for(;;);.

Then I came across the {}&&, which renders the json as invalid yet it can still be parsed/eval'ed. See this article for reference: http://www.sitepen.com/blog/2008/09/25/security-in-ajax/

What are your approaches? and what do your functions look like for making the ajax call with the unparseable curft?

I just always use a root object. As noted:

It is only possible to hijack JSON data with a root that is an array. When the root is a primitive, primitive values do not trigger a constructor. When the root is an object, it is not valid JavaScript syntax, and therefore can’t be parsed.

Note that having a root primitive (e.g. your response is just 5) is not valid JSON. Section 2 of the RFC says:

A JSON text is a serialized object or array.

  JSON-text = object / array

This isn't much of a burden, as I (and many sites) typically use an envelope format. E.g.:

{
  "header": {...},
  "data": {...}
}

or:

{
  "status": {...},
  "data": {...}
}

etc.

In that case, any array would just be the value of data, so you can serve syntactically valid JSON without any hijacking risk.