Commitf9f0c68

committed

[symfony#2555] Tweaking JSON Hijacking note to add a bit more information that Fabpot added

1 parent10f3926 commitf9f0c68Copy full SHA for f9f0c68

File tree

-5

lines changed

-5

lines changed

Lines changed: 7 additions & 5 deletions

Original file line number	Diff line number	Diff line change
@@ -450,10 +450,11 @@ to ``application/json``.
`450`	`450`
`451`	`451`	`..caution::`
`452`	`452`
`453`		- To avoid `JSON Hijacking`_, you should pass an associative array as the
`454`		- outer-most array to ``JsonResponse`` and not an indexed array so that
`455`		- the final result is an object (e.g. ``{"object": "not inside an array"}``)
`456`		- instead of an array (e.g. ``[{"object": "inside an array"}]``).
	`453`	+ To avoid XSSI `JSON Hijacking`_, you should pass an associative array
	`454`	+ as the outer-most array to ``JsonResponse`` and not an indexed array so
	`455`	+ that the final result is an object (e.g. ``{"object": "not inside an array"}``)
	`456`	+ instead of an array (e.g. ``[{"object": "inside an array"}]``). Read
	`457`	+ the `OWASP guidelines`_ for more information.
`457`	`458`
`458`	`459`	`JSONP Callback`
`459`	`460`	`~~~~~~~~~~~~~~`
`@@ -476,4 +477,5 @@ Session`
`476`	`477`	The session information is in its own document::doc:`/components/http_foundation/sessions`.
`477`	`478`
`478`	`479`	`.. _Packagist:https://packagist.org/packages/symfony/http-foundation`
`479`		-.. _`JSON Hijacking`:http://haacked.com/archive/2009/06/25/json-hijacking.aspx
	`480`	+.. _`JSON Hijacking`:http://haacked.com/archive/2009/06/25/json-hijacking.aspx
	`481`	`+.. _OWASP guidelines:https://www.owasp.org/index.php/OWASP_AJAX_Security_Guidelines#Always_return_JSON_with_an_Object_on_the_outside`

Comments

(0)