Jonas Sicking wrote:
> So if JSONRequest
> relies on the lack of cookies and auth credentials to protect the user
> or server, how are these firewalled servers protected?
For a GET request, the response's Content-Type MUST be
"application/jsonrequest", a Media-Type that did not exist before the creation
of the JSONRequest proposal. This Content-Type is therefore taken as an
explicit acknowledgment that the resource knows it can be accessed cross-domain.
For a POST request, the request entity also has the Content-Type
"application/jsonrequest", so if the resource is checking the Content-Type, it
will think an unsupported Media-Type is being sent. If it does not check the
Content-Type, it is still likely that it will not be able to parse the request
entity, since it is probably expecting either an
"application/x-www-form-urlencoded" entity or an XML entity, since JSON is a
newer syntax.
Both of these protections are just last-line-of-defense to protect those
services that don't do any permission checks at all and so rely on a firewall
to keep out unauthorized requests. Since these resources are already completely
vulnerable to CSRF (Cross-Site-Request-Forgery) attacks, these protections seem
sufficient to retain any actual security the resources may currently have.
--Tyler
