Should I use text/plain instead. Or is text/json actually going to turn out the same when it comes to cross-site security.
Either way, the content will be valid JSON, I just want to make sure I am right about the Content-Type header.
Should I use text/plain instead. Or is text/json actually going to turn out the same when it comes to cross-site security.
Either way, the content will be valid JSON, I just want to make sure I am right about the Content-Type header.
There are no security considerations affecting the choice of mime type for the request answer. Note that the proper mime type for JSON is application/json.
yes, there are security implications. Browsers - especially IE - will often second guess the content type. The reasoning is that some time back, servers delivered everything as the same content type so browsers had to make guesses to display things correctly. Text/plain is notorious for content sniffing (second guessing). If your json contains html inside some of the values, there is a chance that if you open the url directly in the browser, the browser will determine that its HTML and render it. This could lead to XSS.