- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Tue, 8 Jan 2008 17:31:52 +0000
- To: Jonas Sicking <jonas@sicking.cc>, Jon Ferraiolo <jferrai@us.ibm.com>
- CC: Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>
Jonas Sicking wrote: > So if JSONRequest > relies on the lack of cookies and auth credentials to protect the user > or server, how are these firewalled servers protected? For a GET request, the response's Content-Type MUST be "application/jsonrequest", a Media-Type that did not exist before the creation of the JSONRequest proposal. This Content-Type is therefore taken as an explicit acknowledgment that the resource knows it can be accessed cross-domain. For a POST request, the request entity also has the Content-Type "application/jsonrequest", so if the resource is checking the Content-Type, it will think an unsupported Media-Type is being sent. If it does not check the Content-Type, it is still likely that it will not be able to parse the request entity, since it is probably expecting either an "application/x-www-form-urlencoded" entity or an XML entity, since JSON is a newer syntax. Both of these protections are just last-line-of-defense to protect those services that don't do any permission checks at all and so rely on a firewall to keep out unauthorized requests. Since these resources are already completely vulnerable to CSRF (Cross-Site-Request-Forgery) attacks, these protections seem sufficient to retain any actual security the resources may currently have. --Tyler
Received on Tuesday, 8 January 2008 17:32:52 UTC