Asp.Net MVC 2 JsonRequestBehavior.AllowGet

Dan posted on December 7, 2009 22:33

If you've been trying out Asp.Net MVC 2 you might come across this error:

This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request.

But it worked in MVC 1.0!  There is a security vulnerability using JQuery AJAX GET requests (JSON Hijacking) and in MVC 2 get requests  are blocked by default.  You can get around the problem and leave the security problem by adding JsonRequestBehavior.AllowGet when you return the JSON result:

   1: public JsonResult FindByCoordinates(string latitude, string longitude)

   2: {

   3:     IList<Object> records = new List<Object>

   4:         {

   5:             new 

   6:                 {

   7:                     Lat = "0.1122",

   8:                     Long = "51.12212"

   9:                 }

  10:         };

  11:  

  12:     return new JsonResult { Data = (records), JsonRequestBehavior = JsonRequestBehavior.AllowGet };

  13: }

The better approach is to avoid the possibility of JSON hijacking and use JQuery post instead:

   1: $.ajax({

   2:     type: "POST",

   3:     contentType: "application/json; charset=utf-8",

   4:     url: "/Home/FindEscortsByCoordinates",

   5: ....

   6: ....

Hope this helps anyone that comes across this.

Posted in: ASP.NET MVC  Tags: asp.net mvc, jquery, json

Actions: E-mail | Permalink | Comments (3) | Comment RSS | E-mail | Kick it! | DZone it! | del.icio.us

1a0c6fba-3377-45e9-ab9e-3e2f4779d7ff|0|.0

Comments

 DotNetKicks.com

December 8. 2009 09:02

Asp.Net MVC 2 JsonRequestBehavior.AllowGet

You've been kicked (a good thing) - Trackback from DotNetKicks.com

http://www.dotnetkicks.com/aspnet/Asp_Net_MVC_2_JsonRequestBehavior_AllowGethttp://www.dotnetkicks.com/aspnet/Asp_Net_MVC_2_JsonRequestBehavior_AllowGet

 DotNetShoutout

December 8. 2009 12:00

Asp.Net MVC 2 JsonRequestBehavior.AllowGet - Dan Gibbons

Thank you for submitting this cool story - Trackback from DotNetShoutout

http://dotnetshoutout.com/AspNet-MVC-2-JsonRequestBehaviorAllowGet-Dan-Gibbonshttp://dotnetshoutout.com/AspNet-MVC-2-JsonRequestBehaviorAllowGet-Dan-Gibbons

 topsy.com

December 8. 2009 16:00

Pingback from topsy.com

Twitter Trackbacks for
        
        Asp.Net MVC 2 JsonRequestBehavior.AllowGet
        [ifunky.net]
        on Topsy.com

http://topsy.com/tb/tinyurl.com/y9fqv88http://topsy.com/tb/tinyurl.com/y9fqv88

Add comment

Name*
E-mail*
Website
Country [Not specified] Afghanistan Albania Algeria Argentina Armenia Australia Austria Azerbaijan Bahrain Bangladesh Belarus Belgium Belize Bolivia Bosnia and Herzegovina Brazil Brunei Darussalam Bulgaria Cambodia Canada Caribbean Chile Colombia Costa Rica Croatia Czech Republic Denmark Dominican Republic Ecuador Egypt El Salvador Estonia Ethiopia Faroe Islands Finland France Georgia Germany Greece Greenland Guatemala Honduras Hong Kong S.A.R. Hungary Iceland India Indonesia Iran Iraq Ireland Islamic Republic of Pakistan Israel Italy Jamaica Japan Jordan Kazakhstan Kenya Korea Kuwait Kyrgyzstan Lao P.D.R. Latvia Lebanon Libya Liechtenstein Lithuania Luxembourg Macao S.A.R. Macedonia (FYROM) Malaysia Maldives Malta Mexico Mongolia Morocco Nepal Netherlands New Zealand Nicaragua Nigeria Norway Oman Panama Paraguay People's Republic of China Peru Philippines Poland Portugal Principality of Monaco Puerto Rico Qatar Republic of the Philippines Romania Russia Rwanda Saudi Arabia Senegal Serbia Singapore Slovakia Slovenia South Africa Spain Sri Lanka Sweden Switzerland Syria Taiwan Tajikistan Thailand Trinidad and Tobago Tunisia Turkey Turkmenistan U.A.E. Ukraine United Kingdom United States Uruguay Uzbekistan Venezuela Vietnam Yemen Zimbabwe  

biuquote

• Comment
• Preview

Comment

Notify me when new comments are added

Categories

• ASP.NET MVC
• Continuous Integration
• Development
• IIS
• Marketing
• Metastorm BPM
• SEM
• SEO
• Sharepoint
• Source Control
• Vista

Page List

• Status Availbable For Contract Work
• SVN Location

Calendar

Tag Cloud

• 64bit
• analytics
• articles
• asp.net
• asp.net mvc
• bpm
• c#
• cc.net
• cruise control
• css
• di
• entity framework
• free
• iis
• iis7
• impersonation
• installation
• ioc
• javascript
• jquery
• json
• keyboard shortcuts
• link building
• link wheel
• local business listings
• marketing
• msi
• powershell
• refactoring
• security
• sem
• seo
• setup
• sharepoint
• source control
• spring.net
• sql server 2008
• subversion
• tfs
• viewstate
• vista
• visual studio
• windows 7

Blog Roll

Download OPML file

Authors

• Dan (37)

Month List

• 2010
  • March (2)
  • February (1)
  • January (1)
• 2009
  • December (6)
  • September (1)
  • July (9)
  • June (17)

Recent Posts

• Hariz Design Review - Do not useComments: 0Rating: 0 / 0
• WSPBuilder error: Could not load type - SharepointComments: 0Rating: 0 / 0
• Vista missing mail icon in control panelComments: 0Rating: 0 / 0
• C# GetMonthName - How To Get a Month By Its NumberComments: 2Rating: 0 / 0
• Google, Bing and Yahoo Local Business ListingsComments: 0Rating: 5 / 1
• SEO Authority TaggingComments: 0Rating: 0 / 0
• SEO 2009 Ranking RoundupComments: 0Rating: 0 / 0
• Installing Metastorm 7.6 BPM on Windows 7/SQL 2008Comments: 0Rating: 0 / 0
• SEO Link Building With Comment Spam - Google Says NoComments: 0Rating: 0 / 0
• Asp.Net MVC 2 JsonRequestBehavior.AllowGetComments: 3Rating: 0 / 0

Recent Comments

• ASP.NET MVC Refactoring CSS Includes With Helper Methods (5)
  Admin wrote: Sorry Brett, missed comment that's right if the sc… [More]
• Cruise Control Auto Rebuild with CCNet.config in Source control (2)
  Admin wrote: Hmmm...Haven't seen that before it normally works … [More]
• Cruise Control Auto Rebuild with CCNet.config in Source control (2)
  Kareem wrote: Nice lil article... I've been trying to do the sam… [More]
• Upgrade Your Google Analytics Urchin Tracker Code (5)
  Cheshire dentists wrote: Really useful information for getting quick and ef… [More]
• Type datetime2 is not a defined system type - Entity Framework (2)
  Boy Graphics Comment wrote: finally i find something that i want to know.. th… [More]
• ASP.NET MVC Refactoring CSS Includes With Helper Methods (5)
  James Radford wrote: Good stuff :) [More]
• Null Args in Spring.Net Container Configuration (6)
  tooth whitening wrote: I am new in programming and webpage world, so code… [More]
• Install Subversion On Windows Server 2003 (8)
  Admin wrote: Thanks John, I'll fix that now! [More]
• ASP.NET MVC Refactoring CSS Includes With Helper Methods (5)
  Brett Slaski wrote: So what happens if you leave the css files in the … [More]
• Install Subversion On Windows Server 2003 (8)
  John Bowers wrote: BTW clicking on your name in the header image of t… [More]

Banners