[jQuery] CSRF best practice
As per this article - http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
Older browsers can override array processing in JS and process JSON
even though it's nothing to do with their site.
I was thinking that prepending the JSON fragment with one char that
made it invalid JSON, would do the trick. In my client app, I'd strip
the single char ..
$.get("path/to/my/service", { }, function(data) {
data = data.substr(1,data.length);
if (data.ERROR != true) {
for (var i = 0; i < data.length; i++) {
// process rows.
}
}
}, "json");
It does not work though, as I think JQuery is expecting proper JSON
not just a string.
The article talks of prepending with {"d": and suffixing with } if the
root node is an array. Is that the best strategy ?
Thoughts?
- Paul