javascript - Why shouldn't the server respond with a JSON Array?

Question

According to this Angular 2 guide:

Don\'t expect the decoded JSON to be the heroes array directly. This server always wraps JSON results in an object wit

Answer 1

This was rather bad advice that has since been removed from the angular tutorial.

1. The linked OWASP Cheet Sheet lists three ways to defend against JSON Hijacking. The one the tutorial picked is the hardest to implement correctly, because one must educate every single developer, and audit every single REST resource, rather than writing a single HttpInterceptor to extend CSRF-defenses to GET requests.
2. JSON hijacking can only occur due to browser bugs, which tend to be fixed quickly (this does not imply such attacks are impossible, but the easy exploits no longer work in modern browsers)