3

Since ASP.NET MVC2, when you try to return a Json result without additional information, you get an error:

This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request.

You must now set the property JsonRequestBehavior to the value AllowGet:

result.JsonRequestBehavior = JsonRequestBehavior.AllowGet;

I read on a post that this prevents hijacking.

I wanted to know if there is an equivalent with Json.Net to prevent this type of attack.

Here is my code to create the Json result:

  protected JsonNetResult JsonNet(object data)
  {
     JsonNetResult result = new JsonNetResult();

     result.Data = data;

     return result;
  }

And if you want to know where I found the JsonNetResult, here is a link.

Thank you very much.

Improve this question

1 Answer 1

Reset to default
4

You don't need it because in the custom JsonNetResult that you have shown there's no such test. So you will never get an exception like the one you would get with the standard JsonResult if you invoke the action with GET.

If you wanted you could implement exactly the same property on your custom JsonNetResult property.

public class JsonNetResult : ActionResult
{
    public JsonNetResult()
    {
        SerializerSettings = new JsonSerializerSettings();
        JsonRequestBehavior = JsonRequestBehavior.DenyGet;
    }

    public JsonRequestBehavior JsonRequestBehavior { get; set; }
    ....

    public override void ExecuteResult(ControllerContext context)
    {
        if (context == null)
            throw new ArgumentNullException("context");

        var httpMethod = context.HttpContext.Request.HttpMethod;

        if (JsonRequestBehavior == JsonRequestBehavior.DenyGet && 
            string.Equals(httpMethod, "GET", StringComparison.OrdinalIgnoreCase))
        {
            throw new InvalidOperationException("You can't access this action with GET");
        }

        ...
    }
}

and if you wanted to explicitly allow this for a particular action:

protected ActionResult JsonNet(object data)
{
    JsonNetResult result = new JsonNetResult();
    result.JsonRequestBehavior = JsonRequestBehavior.AllowGet;
    result.Data = data;
    return result;
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you Darin. It's an honnor for me to receive an answer from one of the most powerful contributor of StackOverflow.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.