"This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow GET requests, set JsonRequestBehavior to AllowGet."

Very recently I have worked on asp.net MVC application. Everything is working fine for MVC v1. But when move to MVC v2 I have gotten this error-

"This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow GET requests, set JsonRequestBehavior to AllowGet."

After making some r & d I have found the solution:

Reason:

In MVC v2 they block Json for GET requests (as you can tell from the error) for security reasons.

If your JSON payload:

1.Contains sensitive non-public data
2.Returns an Array
3.Responds to a GET request
4.Browser making the request has JavaScript enabled (very likely the case)
5.Browser making the request supports the __defineSetter__ method.

Then the data is vulnerable to a JSON hijacking. Typically, it's not *your* data but the data of the users of your website.

For more details about JSON Hijacking.

Solution:
1.A possible solution I found online is to set the request to "POST" method instead of "GET" method.

2.If you want to override the behavior, check out the overload for Json that accepts a JsonRequestBehavior parameter.

public ActionResult Index()
{
//Return Json result using LINQ to SQL

//###################################################
//MVC 1.0 specific implementation - A JSON Result
//is returned.
//###################################################
//return new JsonResult
//{
// Data = (from p in Product.GetProductDataList()
// where p.ColorId == colorid
// select p).ToArray()
//};

//###################################################
//MVC RC2 specific implementation - A JSON Result
//is returned, and the AllowGet property is set for
//the JsonRequestBehavior.
//###################################################
var data = (from p in Product.GetProductDataList()
where p.ColorId == colorid
select p).ToArray();

return Json(data, JsonRequestBehavior.AllowGet);
}

Comments

Popular posts from this blog

The model backing the 'MyDBContext' context has changed since the database was created. Either manually delete/update the database, or call Database.SetInitializer with an IDatabaseInitializer instance. For example, the DropCreateDatabaseIfModelChanges strategy will automatically delete and recreate the database, and optionally seed it with new data.

How can I get a value of a property from an anonymous type (C#)

Check/Uncheck all items in a CheckBoxList using Javascript