If you have a JSON based web-service is it still vulnerable to CSRF requests? CORS should be one protection. For cross domain FORM posts, if the json service checks the media type for application/json it should abort the request, correct? -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com