blocks|key|164133|text|默认情况下，JSON框架不允许您使用ASP.NET有效负载响应GET请求，因为恶意用户有可能通过称为JSON劫持的过程获得对有效负载的访问权限。您不希望在GET请求中使用JSON返回敏感信息。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|164134|如果需要发送JSON来响应GET，并且不公开敏感数据，那么可以通过将JsonRequestBehavior.AllowGet作为第二个参数传递给Json方法来显式地允许这种行为。|offset|length|style|CODE|164135|比如|164136|++[HttpGet]+//No+need+to+decorate,+as+by+default+it+will+be+GET
++public+JsonResult+GetMyData(){++
++++var+myResultDataObject+=+buildMyData();+//+build,+but+keep+controller+thin
++++//+delegating+buildMyData+to+builder/Query+Builder+using+CQRS+makes+easy+:)
++++return+Json(myResultDataObject,+JsonRequestBehavior.AllowGet);
++}|code-block|syntax|javascript|164137|这是来自Phil+Haack+JSON+Hijacking的一篇有趣的文章，关于为什么不将Json与GET方法一起使用|164138|entityMap|0|LINK|mutability|MUTABLE|url|http://haacked.com/archive/2009/06/25/json-hijacking.aspx/^0|0|Y|S|20|4|0|0|0|F|E|F|E|0|0^^$0|@$1|2|3|4|5|6|7|Y|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|Z|8|@$D|10|E|11|F|G]|$D|12|E|13|F|G]]|9|@]|A|$]]|$1|H|3|I|5|6|7|14|8|@]|9|@]|A|$]]|$1|J|3|K|5|L|7|15|8|@]|9|@]|A|$M|N]]|$1|O|3|P|5|6|7|16|8|@$D|17|E|18|F|G]]|9|@$D|19|E|1A|1|1B]]|A|$]]|$1|Q|3|-4|5|6|7|1C|8|@]|9|@]|A|$]]]|R|$S|$5|T|U|V|A|$W|X]]]]

By default, the ASP.NET MVC framework does not allow you to respond to
a GET request with a JSON payload as there is a chance a malicious user can gain access to the payload through a process known as JSON Hijacking. You do not want to return sensitive information using JSON in a GET request.

If you need to send JSON in response to a GET, and aren't exposing sensitive data, you can explicitly allow the behavior by passing <code>JsonRequestBehavior.AllowGet</code> as a second parameter to the <code>Json</code>
method. 

Such as 

<pre><code> [HttpGet] //No need to decorate, as by default it will be GET
 public JsonResult GetMyData(){ 
 var myResultDataObject = buildMyData(); // build, but keep controller thin
 // delegating buildMyData to builder/Query Builder using CQRS makes easy :)
 return Json(myResultDataObject, JsonRequestBehavior.AllowGet);
 }
</code></pre>

Here is an interesting article from Phil Haack <a href="http://haacked.com/archive/2009/06/25/json-hijacking.aspx/" rel="noreferrer"><code>JSON Hijacking</code></a> about why not to use Json with GET method

blocks|key|163000|text|假设您的网站有一个GetUser+web方法：|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|163001|http://www.example.com/User/GetUser/32|163002|它返回一个JSON响应：|163003|{+"Name":+"John+Doe"+}|code-block|syntax|javascript|163004|如果此方法只接受POST请求，那么只有在使用POST方法向http://www.example.com/User/GetUser/32发出AJAX请求时，内容才会返回给浏览器。请注意，除非您实现了CORS，否则浏览器将保护数据不受向您的域发出此请求的其他域的影响。|163005|但是，如果您允许GET请求，并且使用GET而不是POST发出类似于上面的AJAX请求，恶意用户可以通过在HTML中使用script标记将您的JSON包含在他们自己的站点的上下文中。例如，在www.evil.com上：|163006|<script+src="http://www.example.com/User/GetUser/32"></script>|163007|这个JavaScript对于www.evil.com应该是无用的，因为应该没有办法读取web方法返回的对象。但是，由于旧版本浏览器(例如Firefox3)中的错误，可能会重新定义JavaScript原型对象，并使www.evil.com能够读取您的方法返回的数据。这就是所谓的JSON劫持。|163008|有关防止这种情况的一些方法，请参阅this+post。然而，在更高版本的现代浏览器(Firefox、Chrome、IE)中，这并不是一个已知的问题。|163009|entityMap|0|LINK|mutability|MUTABLE|url|https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS|1|https://security.stackexchange.com/q/7001/8340^0|9|7|0|0|12|0|0|0|T|12|2Q|4|0|0|1N|6|2M|C|0|0|E|C|2Y|C|0|H|9|1|0^^$0|@$1|2|3|4|5|6|7|18|8|@$9|19|A|1A|B|C]]|D|@]|E|$]]|$1|F|3|G|5|6|7|1B|8|@$9|1C|A|1D|B|C]]|D|@]|E|$]]|$1|H|3|I|5|6|7|1E|8|@]|D|@]|E|$]]|$1|J|3|K|5|L|7|1F|8|@]|D|@]|E|$M|N]]|$1|O|3|P|5|6|7|1G|8|@$9|1H|A|1I|B|C]]|D|@$9|1J|A|1K|1|1L]]|E|$]]|$1|Q|3|R|5|6|7|1M|8|@$9|1N|A|1O|B|C]|$9|1P|A|1Q|B|C]]|D|@]|E|$]]|$1|S|3|T|5|L|7|1R|8|@]|D|@]|E|$M|N]]|$1|U|3|V|5|6|7|1S|8|@$9|1T|A|1U|B|C]|$9|1V|A|1W|B|C]]|D|@]|E|$]]|$1|W|3|X|5|6|7|1X|8|@]|D|@$9|1Y|A|1Z|1|20]]|E|$]]|$1|Y|3|-4|5|6|7|21|8|@]|D|@]|E|$]]]|Z|$10|$5|11|12|13|E|$14|15]]|16|$5|11|12|13|E|$14|17]]]]

Say your website has a <code>GetUser</code> web method:

<code>http://www.example.com/User/GetUser/32</code>

which returns a JSON response:

<pre class="lang-json prettyprint-override"><code>{ "Name": "John Doe" }
</code></pre>

If this method accepts only POST requests, then the content will only be returned to the browser if an AJAX request is made to <code>http://www.example.com/User/GetUser/32</code> using the POST method. Note that unless you have implemented <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS" rel="noreferrer">CORS</a>, the browser will protect the data from other domains making this request to yours.

However, if you allowed GET requests then as well as making an AJAX request similar to the above with GET instead of POST, a malicious user could include your JSON in the context of their own site by using a <code>script</code> tag in the HTML. e.g. on <code>www.evil.com</code>:


<pre><code>&lt;script src="http://www.example.com/User/GetUser/32"&gt;&lt;/script&gt;
</code></pre>

This JavaScript should be useless to <code>www.evil.com</code> because there should be no way of reading the object returned by your web method. However, due to bugs in old versions of browsers (e.g. Firefox 3), it is possible for JavaScript prototype objects to be redefined and make it possible for <code>www.evil.com</code> to read your data returned by your method. This is known as JSON Hijacking.

See <a href="https://security.stackexchange.com/q/7001/8340">this post</a> for some methods of preventing this. However, it is not a known problem with the later versions of modern browsers (Firefox, Chrome, IE).

blocks|key|2970391|text|在您的回报中使用以下内容：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2970392|return+this.Json("you+result",+JsonRequestBehavior.AllowGet);|code-block|syntax|javascript|2970393|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|I|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|J|8|@]|9|@]|A|$E|F]]|$1|G|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|H|$]]

in your return use the following:

<pre><code>return this.Json("you result", JsonRequestBehavior.AllowGet);
</code></pre>

blocks|key|2757644|text|当我们想要从MVC应用程序返回一个json对象到客户端时，我们应该在返回一个对象时显式地指定JsonRequestBehavior.AllowGet。因此，我返回如下的json数据来解决这个问题：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2757645|++++return+Json(yourObjectData,+JsonRequestBehavior.AllowGet);|code-block|syntax|javascript|2757646|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|I|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|J|8|@]|9|@]|A|$E|F]]|$1|G|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|H|$]]

When we want to return a json object to client from MVC application, we should explicit specify JsonRequestBehavior.AllowGet when returning an object. As a result, I return json data as below to overcome the issue:

<pre><code> return Json(yourObjectData, JsonRequestBehavior.AllowGet);
</code></pre>

blocks|key|2970462|text|您必须为Json响应使用JsonRequestBehavior.AllowGet，如下所示：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2970463|return+Json(YourObject,+JsonRequestBehavior.AllowGet);|code-block|syntax|javascript|2970464|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|I|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|J|8|@]|9|@]|A|$E|F]]|$1|G|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|H|$]]

You must be use JsonRequestBehavior.AllowGet for Json Response like this :

<pre><code>return Json(YourObject, JsonRequestBehavior.AllowGet);
</code></pre>

blocks|key|2757715|text|return+Json(“成功”，JsonRequestBehavior.AllowGet)|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2757716|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

return Json("Success", JsonRequestBehavior.AllowGet)

I've been getting the same old error every time I test a new <code>URL</code> from my browser's address bar when I'm <code>returning Json</code> (using the built-in <code>MVC JsonResult helper</code>):

<blockquote>
 This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a <code>GET request</code>. To allow <code>GET requests</code>, set <code>JsonRequestBehavior</code> to <code>AllowGet</code>.
</blockquote>

Rather than grunt in acknowledgement and fire up Fiddler to do a post request, this time, I'm wondering exactly what it is that a <code>GET</code> request exposes that a <code>POST</code> request doesn't?

What 'sensitive information' could be disclosed when setting JsonRequestBehavior to AllowGet

JSON

每次我使用returning Json (使用内置的MVC JsonResult helper)从浏览器的地址栏测试新的URL时，都会得到相同的老错误：此请求已被阻止，因为在GET request中使用此请求时，敏感信息可能会泄露给第三方网站。要允许GET requests，请将JsonRequestBehavior设...

问将JsonRequestBehavior设置为AllowGet时可能会泄露哪些“敏感信息”
EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问将JsonRequestBehavior设置为AllowGet时可能会泄露哪些“敏感信息”EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问将JsonRequestBehavior设置为AllowGet时可能会泄露哪些“敏感信息”
EN