A remote site attempting a CSRF attack will need to load data using a JSONP call. (entering a script block on the page) If you try to make a JSONP call and the script that you enter on your web page, javascript vm will not be able to load the data (due to the while loop). Thus, an attacker will not be able to see the data.
This ensures that only clients that comply with the same origin policy (downloading data via a regular ajax call) can use the data, thereby preventing any attacker from accessing data from a remote site.