What is Cross Site Script Inclusion (XSSI)?

Question

I\'ve recently seen XSSI mentioned on multiple pages, e.g. Web Application Exploits and Defenses:

Browsers prevent pages of one domain from reading pages

Answer 1

XSSI is not limited to jsonp responses. In some browsers you can override the Array constructor. If a Json response contains [...] and you include it as a script it will execute the new constructor instead of the builtin one. The fix is to insert something in the response that can't be parsed like ])}while(1); and then use code to remove it before parsing it. An attacker can't do that since script inclusion is always the entire script.

More detail on the problem and this solution at http://google-gruyere.appspot.com/part3#3__cross_site_script_inclusion