Asp.Net MVC 2 JsonRequestBehavior.AllowGet

7. December 2009 22:33 by Dan in ASP.NET MVC  //  Tags: , ,   //   Comments (0)

If you've been trying out Asp.Net MVC 2 you might come across this error:

This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request.

But it worked in MVC 1.0!  There is a security vulnerability using JQuery AJAX GET requests (JSON Hijacking) and in MVC 2 get requests  are blocked by default.  You can get around the problem and leave the security problem by adding JsonRequestBehavior.AllowGet when you return the JSON result:

   1: public JsonResult FindByCoordinates(string latitude, string longitude)
   2: {
   3:     IList<Object> records = new List<Object>
   4:         {
   5:             new 
   6:                 {
   7:                     Lat = "0.1122",
   8:                     Long = "51.12212"
   9:                 }
  10:         };
  11:  
  12:     return new JsonResult { Data = (records), JsonRequestBehavior = JsonRequestBehavior.AllowGet };
  13: }

The better approach is to avoid the possibility of JSON hijacking and use JQuery post instead:

   1: $.ajax({
   2:     type: "POST",
   3:     contentType: "application/json; charset=utf-8",
   4:     url: "/Home/FindEscortsByCoordinates",
   5: ....
   6: ....

Hope this helps anyone that comes across this.

Pingbacks and trackbacks (6)+

Add comment

  Country flag

biuquote
  • Comment
  • Preview
Loading