class Rack::Protection::JsonCsrf

even on GET requests if the content type is JSON.
Array prototype has been patched to track data. Checks the referrer
JSON GET APIs are volnurable to being embedded as JavaScript while the
More infos
flask.pocoo.org/docs/security/#json-security<br>Supported browsers
all
Prevented attack

CSRF
#

def call(env)

def call(env)
  status, headers, body = app.call(env)
  if headers['Content-Type'].to_s.split(';', 2).first.strip == 'application/json'
    result = react(env) if referrer(env) != Request.new(env).host
  end
  result or [status, headers, body]
end