From the AngularJS documentation
A JSON vulnerability allows third party website to turn your JSON resource URL into JSONP request under some conditions. To counter this your server can prefix all JSON requests with following string “)]}‘,\n”. Angular will automatically strip the prefix before processing it as JSON.
Phil Haack outlines the issue here.
Can we automatically prepend
")]}',\n" in Web Api? Sure!