This problem exists because browsers don’t check same origin policy on script tags.
Rails is vulnerable to hijacking because the CSRF protection is not enabled for GET requests.
Apparently it is hard to address this problem. There is an old ticket for Rails but right now I see no easy solution in Rails or in rich client framweorks such as Ember.
- Don’t send confidential data.
- Send html snippets instead of JSON.
- Send invalid data and parse it.
- Use unguessable urls.
- Use a token for authentication instead of a cookie.
- Don’t use GET requests.
- Use a CSRF token and fail when it is not correct.