Security issues with top-level arrays in JSON
- Christopher O'Donnell
- 2013-06-18 @ 00:05
I'm a little confused by this part of the Flask documentation:
What does the success of a cross-site request (forged by way of the
cookies for the target site being attached by the browser running the
attacker's page) have to do with how it's sent or how the response might
be captured? Shouldn't the target just just never accept the request (so,
in the example from the documentation, the JSON response wouldn't be
returned) if it didn't originate within the application (probably tested
with a one-time-use token)?
Does it have something to do with cross-site AJAX requests typically not
being permitted by browsers?
Still, the example seems strangely JSON-specific: surely there are and
will be bugs in the same-origin policies of browsers occasionally, or in
browser extension sandboxing, all giving far more direct ways to make a
forged request and have full access to its response without having to rely
So does anyone know how avoiding top-level arrays in JSON actually
contributes providing the already-necessary check that the request
originated within the application is used?