NAME

Amon2::Plugin::Web::JSON - JSON plugin

SYNOPSIS

use Amon2::Lite;

__PACKAGE__->load_plugins(qw/Web::JSON/);

get '/' => sub {
    my $c = shift;
    return $c->render_json(+{foo => 'bar'});
};

__PACKAGE__->to_app();

DESCRIPTION

This is a JSON plugin.

METHODS

$c->render_json(\%dat);

Generate JSON data from \%dat and returns instance of Plack::Response.

FAQ

How can I use JSONP?

You can use JSONP by using Plack::Middleware::JSONP.

JSON and security

Browse the JSON files directly.

This module escapes '<', '>', and '+' characters by "\uXXXX" form. Browser don't detects the JSON as HTML.

And also this module outputs "X-Content-Type-Options: nosniff" header for IEs.

It's good enough, I hope.

JSON Hijacking

Latest browsers doesn't have a JSON hijacking issue(I hope). __defineSetter__ or UTF-7 attack was resolved by browsers.

But Firefox<=3.0.x and Android phones have issue on Array constructor, see http://d.hatena.ne.jp/ockeghem/20110907/p1.

Firefox<=3.0.x was outdated. Web application developers doesn't need to add workaround for it, see http://en.wikipedia.org/wiki/Firefox#Version_release_table.

Amon2::Plugin::Web::JSON have a JSON hijacking detection feature. Amon2::Plugin::Web::JSON returns "403 Forbidden" response if following pattern request.

The request have 'Cookie' header.

The request doesn't have 'X-Requested-With' header.

The request contains /android/i string in 'User-Agent' header.

Request method is 'GET'

See also the hasegawayosuke's article(Japanese).

THANKS TO

hasegawayosuke