RE: ISSUE-18: Is JSONRequest an acceptable alternative to the current model? [Access Control]

Jonas Sicking wrote:
> So if JSONRequest
> relies on the lack of cookies and auth credentials to protect the user
> or server, how are these firewalled servers protected?

For a GET request, the response's Content-Type MUST be "application/jsonrequest", a Media-Type that did not exist before the creation of the JSONRequest proposal. This Content-Type is therefore taken as an explicit acknowledgment that the resource knows it can be accessed cross-domain.

For a POST request, the request entity also has the Content-Type "application/jsonrequest", so if the resource is checking the Content-Type, it will think an unsupported Media-Type is being sent. If it does not check the Content-Type, it is still likely that it will not be able to parse the request entity, since it is probably expecting either an "application/x-www-form-urlencoded" entity or an XML entity, since JSON is a newer syntax.

Both of these protections are just last-line-of-defense to protect those services that don't do any permission checks at all and so rely on a firewall to keep out unauthorized requests. Since these resources are already completely vulnerable to CSRF (Cross-Site-Request-Forgery) attacks, these protections seem sufficient to retain any actual security the resources may currently have.


Received on Tuesday, 8 January 2008 17:32:52 UTC