"This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow GET requests, set JsonRequestBehavior to AllowGet."
After making some r & d I have found the solution:
Reason:
In MVC v2 they block Json for GET requests (as you can tell from the error) for security reasons.
If your JSON payload:
1.Contains sensitive non-public data
2.Returns an Array
3.Responds to a GET request
4.Browser making the request has JavaScript enabled (very likely the case)
5.Browser making the request supports the __defineSetter__ method.
Then the data is vulnerable to a JSON hijacking. Typically, it's not *your* data but the data of the users of your website.
For more details about JSON Hijacking.
Solution:
1.A possible solution I found online is to set the request to "POST" method instead of "GET" method.
2.If you want to override the behavior, check out the overload for Json that accepts a JsonRequestBehavior parameter.
public ActionResult Index()
{
//Return Json result using LINQ to SQL
//###################################################
//MVC 1.0 specific implementation - A JSON Result
//is returned.
//###################################################
//return new JsonResult
//{
// Data = (from p in Product.GetProductDataList()
// where p.ColorId == colorid
// select p).ToArray
//};
//###################################################
//MVC RC2 specific implementation - A JSON Result
//is returned, and the AllowGet property is set for
//the JsonRequestBehavior.
//###################################################
var data = (from p in Product.GetProductDataList()
where p.ColorId == colorid
select p).ToArray
return Json(data, JsonRequestBehavior.AllowGet);
}
No comments:
Post a Comment