undefined | Better HN

0 pointsjtchang8y ago0 comments

> First, use an XSRF token as discussed earlier to make sure that JSON results containing confidential data are only returned to your own pages.

Is this necessary for GET requests that return JSON? You need to include a XSRF token in the request headers?

0 comments

codedokode8y ago

Ideally browsers should block cross-domain requests by default (so no XSRF is possible), but sadly this would break compatibility with older sites. Maybe we should make new HTTP methods (like SAFEPOST) with builtin XSRF protection and switch new apps to them?

j / k navigate · click thread line to collapse

0 pointsjtchang8y ago0 comments

> First, use an XSRF token as discussed earlier to make sure that JSON results containing confidential data are only returned to your own pages.

Is this necessary for GET requests that return JSON? You need to include a XSRF token in the request headers?

0 comments

codedokode8y ago

j / k navigate · click thread line to collapse