{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 在下西门庆 的问题《Security and Cross Domain with ASP.NET MVC JsonRes》','https://www.manongdao.com/q-979955.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am using asp.net MVC to develop an application that will have ajax interactions. I have JsonResult methods in the controller returning my json serialized data. So for example when a request is made to http://somesite.com/findwidgets/ mvc serializes the data as json and sends it back.
I am using jQuery on the client side to handle the ajax requests and to then manipulate the results. I am not having any trouble getting the data but i have found that i can make requests to http://somesite.com/findwidgets/ from the address bar of the browser and it will return the json data as a download.
Also, how do i ensure that others cannot simply make requests and grab data using http://somesite.com/findwidgets/ ?
Is cross domain the right topic here or is that speaking to other security problems?
Thanks
Also you can use IsAjaxRequest() property of the controller (if it false - return null result for example). In order to prevent posting/getting the data from other sites you can check Request.UrlReferrer property (but the browser can lie about it).
The issue you describe is the same one people refer to when asking how they can prevent people from posting to their form from another site. The only reasonable answer I have seen is to use some type of session key system wherein a key is generated for each request and each subsequent request must pass the previously generated key for validation. A request that arrives with no key or an invalid key is denied access.
This is because JSON is not recognized as a text mime type, and browsers will only display text mime types directly in the browser. Anything else will be offered as a download rather than displayed inline.
consider checking for request host also, and limit it to the current domain.