Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, October 20, 2009 12:25 PM
Hello Guys,
I'm getting this error whenever I execute a json request "This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow GET requests, set JsonRequestBehavior to AllowGet."
* * The odd thing is another developer on a different dev machine runs the same project without any problem. A possible solution I found online is to set the request to "Post" but in doing so, we would change a lot of code in our project and besides, the same exact project runs flawlessly in another machine or when we deploy it to our staging server so there is definitely something different in my dev machine.
Here's our setup:
1. Visual Studio 2008
2. We are using MVC 2 Preview
3. We are using the jqGrid which executes the json request.
4. My VS 2008 built in webserver is using the same port as the other developers VS installation.
Any help would be gladly appreciated.
Thanks!
All replies (9)
Tuesday, October 20, 2009 2:18 PM ✅Answered
in MVC v2 they block Json for GET requests (as you can tell from the error) for security reasons. If you want to override that behavior, check out the overload for Json that accepts a JsonRequestBehavior parameter.
public ActionResult Index()
{
return Json(data, JsonRequestBehavior.AllowGet)
}
Wednesday, November 24, 2010 7:16 PM ✅Answered
I described the reasons in detail here: http://haacked.com/archive/2009/06/25/json-hijacking.aspx
Long story short, if your JSON payload:
- Contains sensitive non-public data
- Returns an Array
- Responds to a GET request
Then the data is vulnerable to a JSON hijacking. Typically, it's not *your* data but the data of the users of your website.
Phil
Wednesday, October 21, 2009 4:14 PM
thanks! that was very helpful
Monday, March 1, 2010 12:49 AM
For those of you that come across the same issue:
I looked high and low for this answer and it was hard to come across since (I would guess) not a lot of folks are using MVC RC2 and jQuery right now... Very good and very helpful! Here was my use-case scenario.
I needed to implement cascading dropdown list functionality into my MVC RC2 View using jQuery. I came across a great post by Michael J. Baird at the following location.
http://www.michaeljbaird.com/post/2009/04/13/ASPnet-MVC-and-JQuery-Cascading-Droplist.aspx
I set it up on my home dev machine (Currently running MVC 1.0) and it worked well. I then set it up on my work dev machine (Currently running MVC 2.0) and it didn't work. What gives?
I came across this specific ASP.NET Forum post and the moral of the story is just as BrockAllen describes above. In MVC RC2, JSON GET requests are blocked by default for security reasons.
You can actually do some good debugging stuff in your jQuery .ajax request to see this error message.
$.ajax({
type: "GET",
contentType: "application/json; charset=utf-8",
url: "FindProducts/" + color,
data: "{}",
dataType: "json",
error:function(xhr,err){
alert("readyState: "+xhr.readyState+"\nstatus: "+xhr.status);
alert("responseText: "+xhr.responseText);
The alert statements in the error attribute will give you useful error information that you can use for debugging.
To address the issue in my controller action (where I was returning a JSON result), you can see how I enabled the AllowGet() property for the JsonRequestBehavior:
public JsonResult FindProductsByColorID(int colorid)
{
//Return Json result using LINQ to SQL
//###################################################
//MVC 1.0 specific implementation - A JSON Result
//is returned.
//###################################################
//return new JsonResult
//{
// Data = (from p in Product.GetProductDataList()
// where p.ColorId == colorid
// select p).ToArray<Product>()
//};
//###################################################
//MVC RC2 specific implementation - A JSON Result
//is returned, and the AllowGet property is set for
//the JsonRequestBehavior.
//###################################################
var data = (from p in Product.GetProductDataList()
where p.ColorId == colorid
select p).ToArray<Product>();
return Json(data, JsonRequestBehavior.AllowGet);
}
Hope this helps,
Mike
Wednesday, March 3, 2010 6:09 AM
Thanks, This is really good.
Wednesday, November 24, 2010 4:33 PM
Could someone please explain what are the security reasons? I am concerned if I enable this I would be ignoring those security reasons.
Thanks
David
Wednesday, November 24, 2010 7:19 PM
see also this excellent thread on JSON Hijacking
Wednesday, November 24, 2010 10:20 PM
In The View where you Call Jason
<script language="javascript" type="text/javascript">
var Domain = '';
if (document.domain == 'localhost') {
Domain = "/Home/MakeJsonCall/?param=";
} else {
Domain = "../Home/MakeJsonCall/?param=";
}
function GetJsonCall(val) {
$.getJSON(Domain + val, function(data) {
alert(data.name);
alert(data.Email);
});
}
</script>
<select name="Class" id="Class" onchange="GetJsonCall(this.value)">
<option value="">Pls select</option>
<option value="1">1</option>
<option value="2">2</option>
<option value="3">3</option>
</select>
GetJsonCall() is a function call controller Action Method name MakeJsonCall.
public ActionResult MakeJsonCall(int param)
{
// you Can Call Daynamic Data
// var data = (from p in Product.GetProductDataList()
// where p.ColorId == colorid
// select p).ToArray<Product>();
string name = "";
string Email = "";
if (param == 1)
{
name = "moynul";
Email = "[email protected]";
}
else if (param == 2)
{
name = "Bappy";
Email = "[email protected]";
}
else if (param == 3)
{
name = "moynul.biswas";
Email = "[email protected]";
}
var datajson = new
{
name ,
Email
};
return Json(datajson, JsonRequestBehavior.AllowGet);
}
Thursday, July 19, 2012 8:50 AM
I don't know much about JSON hijacking, but my question is this. If you're going to use AJAX/JSON for a website or web application, how can the data being passed back and forth between the server and client be secured?
In a normal HTTP post/get scenario I'm thinking Asp.net can handle authenticated users by checking the auth cookie, but I'm not sure if this cookie is passed to the server during GET requests. If it is, then why the need for extra security since Asp.net should be able to do some request validation itself?
Thanks for the input Haacked, I'm just getting into MVC now and it's quite exciting stuff, but AJAX security (or authorization) has always bothered me irrespective of the server platform.
Regards,
Jacques