0

I send JSON to my server from browsers using jQuery.ajax and the Content-Type header set to application/json.

Is CSRF a concern here? (I know it's an issue if I send application/x-www-form-urlencoded data from forms.)

Dan
  • 5,013
  • 5
  • 33
  • 59
  • duplicate of http://stackoverflow.com/questions/9089909/do-i-need-a-csrf-token-for-jquery-ajax. if you use a authentication cookie. – windm Oct 14 '15 at 14:43
  • @Mawi12345 I don't think this is a duplicate because I believe using JSON makes a big difference to the answer. The question is similar to http://stackoverflow.com/questions/11008469/are-json-web-services-vulnerable-to-csrf-attacks but doesn't address jQuery specifically. – Dan Oct 14 '15 at 14:47
  • the link you provided should answer your question. jquery ajax is a wrapper of XHR. – windm Oct 14 '15 at 14:51
  • So the answer is it's not a concern if I don't have any `Access-Control-Allow-*` headers and don't allow others to inject scripts into my web page? – Dan Oct 14 '15 at 14:55
  • [Similar question/answer here](http://security.stackexchange.com/a/84713/8340) – SilverlightFox Oct 23 '15 at 12:56

1 Answers1

0

If you use application/json and your server does not allow cross-origin requests then the only threat comes from XHR-based CSRF attacks. So the attacker need to use XSS (or similar attacks) to run code from your origin.

Dan
  • 5,013
  • 5
  • 33
  • 59
windm
  • 642
  • 3
  • 12