Re: [security-dev] CSRF and json
Good morning Bill
On 2014-05-05, Bill Burke wrote:
If you have a JSON based web-service is it still vulnerable to CSRF
requests? CORS should be one protection. For cross domain FORM posts,
They are, if you don't have checks for the content type.
if the json service checks the media type for application/json it
should
abort the request, correct?
If you want to follow strictly the specification
(http://www.w3.org/TR/cors/#cross-origin-request-status). I would say,
yes, they just abort with "network error".
If you want to mitigate CSRF and other web vulnerabilities, my suggestion
is the CSP specification (http://www.w3.org/TR/CSP11/).
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
--
abstractj