Today I read a bit more about Javascript and JSON hijacking. JSON hijacking is nicely described in these articles:

One of the first reports Security statement

This problem exists because browsers don’t check same origin policy on script tags.

Javascript hijacking is very similar to JSON hijacking. The difference is that the server returns executable javascript instead of an executable javascript object.

Rails is vulnerable to hijacking because the CSRF protection is not enabled for GET requests.

Apparently it is hard to address this problem. There is an old ticket for Rails but right now I see no easy solution in Rails or in rich client framweorks such as Ember.

Mitigation alternatives:

  • Don’t send confidential data.
  • Send html snippets instead of JSON.
  • Send invalid data and parse it.
  • Use unguessable urls.
  • Use a token for authentication instead of a cookie.
  • Don’t use GET requests.
  • Use a CSRF token and fail when it is not correct.