While working on a project that used the REST API for Gerrit Code Review I noticed that they do something that I thought was strange Source:
To prevent against Cross Site Script Inclusion (XSSI) attacks, the JSON response body starts with a magic prefix line that must be stripped before feeding the rest of the response body to a JSON parser:
)]}'
[ ... valid JSON ... ]
How does prefixing the response body with seemingly random characters work to prevent XSSI?