Why I should not return a json list as result in web service?

Question

I did try to return a data list as result in my web application. For example

@expose('json')
def getList():
    return ['apple', 'banana', 'orange']

But the web framework TurboGears2 stops me and says

01:50:22,687 ERROR [error] You may not expose with json a list return value. This is because it leaves your application open to CSRF attacks

I don't understand, what's the problem of returning list as result? I can't find any article talking about returning JSON list and CSRF. Why is that?

score 1 · Answer 1 · answered Jun 16 '11 at 22:12

1

Here is an article describing the issue.

answered Jun 16 '11 at 22:12

Josh Canfield

1 Answers1