Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Title is incorrect, Array usage is about Javascript/JSON Hijacking not protection against CSRF.


Yeah, the article got it right (CSRF was the previous section) but the submitter titled it wrong.


Correct, the technical term for it is 'XSSI', or Cross Site Script Inclusion.


I haven't heard of that term before now, but I would argue that XSSI is a way of doing CSRF rather than CSRF, or something entirely different itself. (From Wikipedia: "Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.")

Apologies if the title made it seem like not using javascript arrays was a magic bullet to preventing all CSRF.


They are definitely similar, but I wouldn't say XSSI is a type of CSRF. CSRF refers specifically to a few methods of attack, distinct from what is used in XSSI.

Regardless, it seems CSRF is much more widely known than XSSI, so you could say worrying about the distinction is just pedantry. I was very surprised when I searched earlier and could not so much as find an OWASP mention of XSSI. Still very important to know though.


Based on what? Never heard of XSSI in this context, isn't XSSI used for extended server side includes?




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: