JSON hijacking prevention

iulianastase / jsonengine

Automatically exported from code.google.com/p/jsonengine

0 stars 0 forks source link

JSON hijacking prevention #15

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago

Any prevention for JSON hijacking is required. Like putting Session ID or 
one-time token on each request.

Original issue reported on code.google.com by kazunori...@gmail.com on 3 Aug 2010 at 5:31

GoogleCodeExporter commented 8 years ago

One idea: Adding an option on the admin page such as:

- Disallow access without X-Requested-With header

By selecting this option, jsonengine will not accept any request without the 
header, means it only accepts Ajax requests and avoid JSON hijacking.

Original comment by kazunori...@gmail.com on 3 Aug 2010 at 6:19

GoogleCodeExporter commented 8 years ago

Original comment by kazunori...@gmail.com on 29 Sep 2010 at 4:27

Added labels: Priority-Medium
Removed labels: Priority-High