"This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow GET requests, set JsonRequestBehavior to AllowGet."

Very recently I have worked on asp.net MVC application. Everything is working fine for MVC v1. But when move to MVC v2 I have gotten this error-

"This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow GET requests, set JsonRequestBehavior to AllowGet."

After making some r & d I have found the solution:

Reason:

In MVC v2 they block Json for GET requests (as you can tell from the error) for security reasons.

If your JSON payload:

1.Contains sensitive non-public data
2.Returns an Array
3.Responds to a GET request
4.Browser making the request has JavaScript enabled (very likely the case)
5.Browser making the request supports the __defineSetter__ method.

Then the data is vulnerable to a JSON hijacking. Typically, it's not *your* data but the data of the users of your website.

For more details about JSON Hijacking.

Solution:
1.A possible solution I found online is to set the request to "POST" method instead of "GET" method.

2.If you want to override the behavior, check out the overload for Json that accepts a JsonRequestBehavior parameter.

public ActionResult Index()
{
//Return Json result using LINQ to SQL

//###################################################
//MVC 1.0 specific implementation - A JSON Result
//is returned.
//###################################################
//return new JsonResult
//{
// Data = (from p in Product.GetProductDataList()
// where p.ColorId == colorid
// select p).ToArray()
//};

//###################################################
//MVC RC2 specific implementation - A JSON Result
//is returned, and the AllowGet property is set for
//the JsonRequestBehavior.
//###################################################
var data = (from p in Product.GetProductDataList()
where p.ColorId == colorid
select p).ToArray();

return Json(data, JsonRequestBehavior.AllowGet);
}

Comments

Popular posts from this blog

The model backing the 'MyDBContext' context has changed since the database was created. Either manually delete/update the database, or call Database.SetInitializer with an IDatabaseInitializer instance. For example, the DropCreateDatabaseIfModelChanges strategy will automatically delete and recreate the database, and optionally seed it with new data.

Check/Uncheck all items in a CheckBoxList using Javascript