JSON data that starts with closing brackets

This is a protection against the so-called JSON hijacking exploit. The client strips off the leading junk before interpreting it.

In the JSON hijacking exploit, a user is logged onto an application in one tab, meaning the browser is holding his authentication token in a cookie, for example. The hacker then arranges for the user to open a malicious app in another tab. The HTML in that tab contains a script tag with its src set to the URL for some JSON API of the first app. Since it is a script tag, there is no same-origin check. Since the browser includes valid credentials in the request, the first app goes ahead and returns the JSON, perhaps containing confidential information. Since JSON is valid JavaScript, the browser executes it, which in itself causes nothing to happen, but the hacker can then retrieve the JSON by examining the content of the script tag.

By putting junk in front of the JSON, it cannot be parsed as valid JS. Therefore, the browser errors out and does not load the content into the script tag of the malicious app, which therefore has no way to examine it. There are various "flavors" of junk used by different vendors; Google's is one.

These days there are several built-in countermeasures to JSON hijacking and it no longer remains a threat except on older browsers without properly set headers.