b50ca99566
`parseJsonBody` and `requireJsonBody` do not require a mime type when parsing `JSON` content. This leaves them open to CSRF. They are now deprecated and `insecure` versions are added in their place. Consumers are now given a proper choice between secure and insecure functions. There is a potential attack vector in that the browser does not trigger CORS requests for "simple requests", which includes POST requests that are form or text content-types. An attacker can craft a form whose body is valid JSON, and when a user visits attacker.com and submits that form, it can be submitted to bank.com and bypass CORS. Checking the content-type is application/json prevents this, because if the content-type was set to application/json, then the browser would send a CORS request—a preflight OPTIONS request to the server asking if the current domain (and some other values) are whitelisted to send requests to that server. If the server doesn't say attacker.com is whitelisted, the browser will not send the real request to the server. |
||
|---|---|---|
| .. | ||
| Class | ||
| Internal | ||
| Content.hs | ||
| Dispatch.hs | ||
| Handler.hs | ||
| Internal.hs | ||
| Json.hs | ||
| TypeCache.hs | ||
| Types.hs | ||
| Unsafe.hs | ||
| Widget.hs | ||