I am using Backbone.js and the Tornado web server. The standard behavior for receiving collection data in Backbone is to send as a JSON Array.
On the other hand, Tornado's standard behavior is to not allow JSON Array's due to the following vulnerability:
http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
A related one is: http://haacked.com/archive/2009/06/25/json-hijacking.aspx
It feels more natural for me to not have to wrap up my JSON in an object when it really is a list of objects.
I was unable to reproduce these attacks in modern browsers (i.e. current Chrome, Firefox, Safari, and IE9). At the same time I was unable to confirm anywhere that modern browsers had addressed these issues.
To ensure that I am mislead neither by any possible poor programming-skills nor poor googling-skills:
Are these JSON Hijacking attacks still an issue today in modern browsers?
(Note: Sorry for the possible duplicate to: Is it possible to do 'JSON hijacking' on modern browser? but since the accepted answer does not seem to answer the question - I thought it was time to ask it again and get some clearer explanations.)