tags:

views:

1137

answers:

4
+1  Q: 

Security and Cross Domain with ASP.NET MVC JsonResult and jQuery

I am using asp.net MVC to develop an application that will have ajax interactions. I have JsonResult methods in the controller returning my json serialized data. So for example when a request is made to http://somesite.com/findwidgets/ mvc serializes the data as json and sends it back.

I am using jQuery on the client side to handle the ajax requests and to then manipulate the results. I am not having any trouble getting the data but i have found that i can make requests to http://somesite.com/findwidgets/ from the address bar of the browser and it will return the json data as a download.

Also, how do i ensure that others cannot simply make requests and grab data using http://somesite.com/findwidgets/ ?

Is cross domain the right topic here or is that speaking to other security problems?

Thanks

+1  A: 

Also, how do i ensure that others cannot simply make requests and grab data using http://somesite.com/findwidgets/ ?

The issue you describe is the same one people refer to when asking how they can prevent people from posting to their form from another site. The only reasonable answer I have seen is to use some type of session key system wherein a key is generated for each request and each subsequent request must pass the previously generated key for validation. A request that arrives with no key or an invalid key is denied access.

i have found that i can make requests to http://somesite.com/findwidgets/ from the address bar of the browser and it will return the json data as a download.

This is because JSON is not recognized as a text mime type, and browsers will only display text mime types directly in the browser. Anything else will be offered as a download rather than displayed inline.

Chris  2009-01-22 17:19:30
Thanks for your post... Do you know in the MVC framework for .net if there is a way to keep the JsonResult method from responding to requests made via the address bar?
Jeremy  2009-01-22 22:25:24
You will want to use the AcceptVerbsAttribute on your action. Basically you do not want to allow Get requests to the Action. Example, on your action add the following: [AcceptVerbs(HttpVerbs.Post)] This will ensure that only POST requests will be able to call the action.
Dale Ragan  2009-01-23 06:36:13
A: 

consider checking for request host also, and limit it to the current domain.

NTulip  2009-02-03 02:21:18
A: 

Also you can use IsAjaxRequest() property of the controller (if it false - return null result for example). In order to prevent posting/getting the data from other sites you can check Request.UrlReferrer property (but the browser can lie about it).

zihotki  2009-02-16 23:58:48
+2  A: 

With the inability to find a really good solution, I wrote my own. You are more than welcome to use it. http://hurl.me/cross-domain-ajax-calls

Jeff Ancel  2009-04-06 00:49:13

related questions

How do HttpOnly cookies work with AJAX requests?
ASP.NET JavaScript Callbacks Without Full PostBacks?
How to set encoding in .getJSON JQuery
Suggestions on Ajax development environment for PHP
Need to test an ajax timeout condition
XmlHttpRequest return values
Adobe AIR: Handling JSON objects from server
Best framework for implementing iGoogle or pageflakes (ASP.NET)
Is there some way to PUSH data from web server to browser?
Are there reasons not to use JSONP for AJA~X requests?
Minimize javascript HTTP calls from AjaxControlToolkit controls?
Only accepting certain ajax requests from authenticated users
ASP.net AJAX Drag/Drop?
Scrolling Overflowed DIVs with JavaScript
Speeding up an ASP.Net Web Site or Application
ICE Faces fileInput file path and file name properties
Ajax project suggestion.
Graphing JavaScript Library
Debugging: IE6 + SSL + AJAX + post form = 404 error
Best ajax library for Sharepoint
Can ASP.NET AJAX partial rendering work inside a SharePoint 2007 application page?
What is Progressive Enhancement?
Tracking state using ASP.NET AJAX / ICallbackEventHandler
Easy way to AJAX WebControls
Modify Address Bar URL in AJAX App to Match Current State