Do you prefer to wrap JSON arrays in another JSON object or always require POST to prevent JSON Hijacking?

I personally wrap all my responses in a comment:

/* {
    "foo": 3,
    "bar": "string with *\x2F sequence in"
} */

and strip that off before JSON.parsing. This makes it useless as a target for script tags.

It's worth noting that this problem is not only to do with JSON, but any HTTP response you serve that could be interpreted as JavaScript. Even, say, a .htaccess-protected text file is vulnerable to leaking through third-party script tag inclusion, if it's in a format that happens to be valid JavaScript.

And here's the crunch: thanks to E4X, even normal, static XML documents are also valid JavaScript. E4X is a disastrous and useless extension to JavaScript, implemented and invented at Mozilla, which allows you to write <element>content</element> XML literals inline in JS; as such, a protected XML file is now vulnerable to the same cross-site-leakage risks as JSON. Thank you Mozilla. See Google doctype's article on this.