This middleware was intended as a CSRF mitigation in the event that Content-Type checking was not a sufficient mitigation. This might have been possible if this W3 spec was implemented:
http://www.w3.org/TR/html-json-forms/
However, the most recent draft explicitly disallows cross-domain requests with JSON form submission. Also, the spec page now displays:
This specification is no longer in active maintenance and the HTML Working Group does not intend to maintain it further.
So it can be assumed this spec will not be implemented, and even if it were, it would not pose a CSRF threat. Therefore, this middleware can be removed, and Content-Type checking will provide the same level of CSRF protection.
Related: The CSRF Token middleware offers the best level of CSRF mitigation, however, some work must be done to enable its use in the Isso client.
This middleware was intended as a CSRF mitigation in the event that Content-Type checking was not a sufficient mitigation. This might have been possible if this W3 spec was implemented: http://www.w3.org/TR/html-json-forms/
However, the most recent draft explicitly disallows cross-domain requests with JSON form submission. Also, the spec page now displays:
So it can be assumed this spec will not be implemented, and even if it were, it would not pose a CSRF threat. Therefore, this middleware can be removed, and Content-Type checking will provide the same level of CSRF protection.
Related: The CSRF Token middleware offers the best level of CSRF mitigation, however, some work must be done to enable its use in the Isso client.