Why I should not return a json list as result in web service?

I did try to开发者_开发百科 return a data list as result in my web application. For example

@expose('json')
def getList():
    return ['apple', 'banana', 'orange']

But the web framework TurboGears2 stops me and says

01:50:22,687 ERROR [error] You may not expose with json a list return value. This is because it leaves your application open to CSRF attacks

I don't understand, what's the problem of returning list as result? I can't find any article talking about returning JSON list and CSRF. Why is that?

Here is an article describing the issue.

http://haacked.com/archive/2009/06/25/json-hijacking.aspx