From 8b22cd98306094908a6abf9340c557aff875924e Mon Sep 17 00:00:00 2001
From: Fabien Potencier <fabien.potencier@gmail.com>
Date: Thu, 25 Apr 2013 15:22:33 +0200
Subject: [PATCH] added a note about returning an object when using a JSON
 response

---
 components/http_foundation/introduction.rst | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/components/http_foundation/introduction.rst b/components/http_foundation/introduction.rst
index c35601dced7..b62601bc8f6 100644
--- a/components/http_foundation/introduction.rst
+++ b/components/http_foundation/introduction.rst
@@ -507,11 +507,18 @@ the response content will look like this:
 
     handleResponse({'data': 123});
 
+.. caution::
+
+    Note that it is recommended to always return an object as a response to
+    protect yourself against XSSI and JSON-JavaScript Hijacking. Read the
+    `OWASP guidelines`_ for more information.
+
 Session
 -------
 
 The session information is in its own document: :doc:`/components/http_foundation/sessions`.
 
-.. _Packagist: https://packagist.org/packages/symfony/http-foundation
-.. _Nginx: http://wiki.nginx.org/XSendfile
-.. _Apache: https://tn123.org/mod_xsendfile/
+.. _Packagist:        https://packagist.org/packages/symfony/http-foundation
+.. _Nginx:            http://wiki.nginx.org/XSendfile
+.. _Apache:           https://tn123.org/mod_xsendfile/
+.. _OWASP guidelines: https://www.owasp.org/index.php/OWASP_AJAX_Security_Guidelines#Always_return_JSON_with_an_Object_on_the_outside