[security-dev] CSRF and json
Bruno Oliveira
bruno at abstractj.org
Mon May 5 22:25:19 EDT 2014
Good morning Bill
On 2014-05-05, Bill Burke wrote:
> If you have a JSON based web-service is it still vulnerable to CSRF
> requests? CORS should be one protection. For cross domain FORM posts,
They are, if you don't have checks for the content type.
> if the json service checks the media type for application/json it should
> abort the request, correct?
If you want to follow strictly the specification
(http://www.w3.org/TR/cors/#cross-origin-request-status). I would say,
yes, they just abort with "network error".
If you want to mitigate CSRF and other web vulnerabilities, my suggestion
is the CSP specification (http://www.w3.org/TR/CSP11/).
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
--
abstractj
More information about the security-dev
mailing list