This works because the browser will run any third-party script, but it won't expose the raw string constituting the script.
So a malicious website can't steal that content by putting the URL in a script. It will never get to see what's in the script and only a same-domain script could parse the whole contents, by making a XHR call, and strip out the "while 1;" part. In contrast, a regular JSONP string is specifically designed for the third party to read it (by including code to call a callback function).
A lot of people still don't realise you shouldn't be serving private data as JSONP. Thankfully, CORS lets modern browsers go cross-browser safely, even with private data if things are configured right.
Actually as yoghur points out, CORS doesn't protect against CSRF. A token must be passed for any privileged calls.
That said, a benefit of CORS is the ability to do non-GET methods. So it's safer in the sense of HTTP idempotence, ie you can change server state safely, using POSTs, DELETEs, and so on. You'd still need to pass a token, however.
(Of course I meant cross-domain, not cross-browser :).
So a malicious website can't steal that content by putting the URL in a script. It will never get to see what's in the script and only a same-domain script could parse the whole contents, by making a XHR call, and strip out the "while 1;" part. In contrast, a regular JSONP string is specifically designed for the third party to read it (by including code to call a callback function).
A lot of people still don't realise you shouldn't be serving private data as JSONP. Thankfully, CORS lets modern browsers go cross-browser safely, even with private data if things are configured right.