DEV Community

Discussion on: CSRF tokens for SPAs - Possible?

darthwalsh profile image
Carl Walsh

Great details! I was wondering, should we be guarding against JSON hijacking in 2021? Based on it seems to have been fixed in Chrome a decade ago.

michi profile image
Michael Z Author

Yea, it was fixed ages ago, but with ES6 proxies, it resurfaced. Now everything is fine again, but it could appear again with new browser features.

But there are also other security mechanisms since then to protect from it like SameSite, CORB (JSON hijacking is referred to as XSSI in that article), and the nosniff header.