DEV Community

Discussion on: CSRF tokens for SPAs - Possible?

Collapse
 
darthwalsh profile image
Carl Walsh

Great details! I was wondering, should we be guarding against JSON hijacking in 2021? Based on stackoverflow.com/a/16880162/771768 it seems to have been fixed in Chrome a decade ago.

Collapse
 
michi profile image
Michael Z

Yea, it was fixed ages ago, but with ES6 proxies, it resurfaced. Now everything is fine again, but it could appear again with new browser features.

But there are also other security mechanisms since then to protect from it like SameSite, CORB (JSON hijacking is referred to as XSSI in that article), and the nosniff header.