Serg
Reputation: 2946
CSRF: can the JSON data returned by a POST request be stolen?
Can the JSON data, returned by a POST request be stolen by a cross-site request forgery attack?
Upvotes: 2
Views: 693
Answers (1)
Kornel
Reputation: 100100
It cannot be done using JS, but I'm not sure about Flash's cross-domain request.
In JS POST request can be made via forms and XMLHTTPRequest. You can't see result of a cross-domain form, so that's safe. XHR forbids cross-domain requests, so that's safe too.
Browsers do allow cross-domain inclusion of scripts via <script> element, but that is using GET only.
Upvotes: 2
Related Questions
- Are JSON web services vulnerable to CSRF attacks?
- Is it safe to pass csrf_token directly to ajax post data?
- Why json hijacking can be prevented using POST method?
- CSRF Requesting the nonce makes malicious POST possible?
- can we hijack CSRF token by ajax request
- JSON API and CSRF
- Can CSRF happen in an API?
- Theoretical AJAX CSRF
- CSRF - Can forged POSTs contain arbitrary data?
- Are Ajax requests CSRF safe?