What 'sensitive information' could be disclosed when setting JsonRequestBehavior to AllowGet
asp.net MvcJsonSecurityHttp PostHttp Getasp.net Mvc Problem Overview
I've been getting the same old error every time I test a new URL
from my browser's address bar when I'm returning Json
(using the built-in MVC JsonResult helper
):
> This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request
. To allow GET requests
, set JsonRequestBehavior
to AllowGet
.
Rather than grunt in acknowledgement and fire up Fiddler to do a post request, this time, I'm wondering exactly what it is that a GET
request exposes that a POST
request doesn't?
asp.net Mvc Solutions
Solution 1 - asp.net Mvc
in your return use the following:
return this.Json("you result", JsonRequestBehavior.AllowGet);
Solution 2 - asp.net Mvc
Say your website has a GetUser
web method:
http://www.example.com/User/GetUser/32
which returns a JSON response:
{ "Name": "John Doe" }
If this method accepts only POST requests, then the content will only be returned to the browser if an AJAX request is made to http://www.example.com/User/GetUser/32
using the POST method. Note that unless you have implemented CORS, the browser will protect the data from other domains making this request to yours.
However, if you allowed GET requests then as well as making an AJAX request similar to the above with GET instead of POST, a malicious user could include your JSON in the context of their own site by using a script
tag in the HTML. e.g. on www.evil.com
:
<script src="http://www.example.com/User/GetUser/32"></script>
This JavaScript should be useless to www.evil.com
because there should be no way of reading the object returned by your web method. However, due to bugs in old versions of browsers (e.g. Firefox 3), it is possible for JavaScript prototype objects to be redefined and make it possible for www.evil.com
to read your data returned by your method. This is known as JSON Hijacking.
See this post for some methods of preventing this. However, it is not a known problem with the later versions of modern browsers (Firefox, Chrome, IE).
Solution 3 - asp.net Mvc
By default, the ASP.NET MVC framework does not allow you to respond to a GET request with a JSON payload as there is a chance a malicious user can gain access to the payload through a process known as JSON Hijacking. You do not want to return sensitive information using JSON in a GET request.
If you need to send JSON in response to a GET, and aren't exposing sensitive data, you can explicitly allow the behavior by passing JsonRequestBehavior.AllowGet
as a second parameter to the Json
method.
Such as
[HttpGet] //No need to decorate, as by default it will be GET
public JsonResult GetMyData(){
var myResultDataObject = buildMyData(); // build, but keep controller thin
// delegating buildMyData to builder/Query Builder using CQRS makes easy :)
return Json(myResultDataObject, JsonRequestBehavior.AllowGet);
}
Here is an interesting article from Phil Haack JSON Hijacking
about why not to use Json with GET method
Solution 4 - asp.net Mvc
When we want to return a json object to client from MVC application, we should explicit specify JsonRequestBehavior.AllowGet when returning an object. As a result, I return json data as below to overcome the issue:
return Json(yourObjectData, JsonRequestBehavior.AllowGet);
Solution 5 - asp.net Mvc
You must be use JsonRequestBehavior.AllowGet for Json Response like this :
return Json(YourObject, JsonRequestBehavior.AllowGet);
Solution 6 - asp.net Mvc
return Json("Success", JsonRequestBehavior.AllowGet)