7. Security Considerations

This specification has the same security considerations as JSON [RFC4627] and JSON-Pointer [RFC6901].

A few older Web browsers can be coerced into loading an arbitrary JSON document whose root is an array, leading to a situation in which a JSON Patch document containing sensitive information could be exposed to attackers, even if access is authenticated. This is known as a Cross-Site Request Forgery (CSRF) attack [CSRF].

However, such browsers are not widely used (at the time of writing, it is estimated that they are used in less than 1% of the market). Publishers who are nevertheless concerned about this attack are advised to avoid making such documents available with HTTP GET.

7. Security Considerations​

7. Security Considerations