Thursday, April 15, 2010

MVC 2: JsonRequestBehavior DenyGet

We migrated one of our projects to MVC 2 today, and one of the first things I noticed is that all my ajaxified jsony sweetness had stopped working! A quick look at the XHR revealed the following server error.
This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow GET requests, set JsonRequestBehavior to AllowGet.
What the heck?

A quick Google turned up a couple articles about MVC 2's new JsonRequestBehavior, and specifically the MSDN article (the link to Haack is dead, so here's a good one). Ok, good to know. I wasn't aware of that vulnerability, but in the mean time I need this project working.

I could modify the actions to call a Json overload which accepts the JsonRequestBehavior.
  return Json(myjson, JsonRequestBehavior.AllowGet);
But since I have somewhere between 50-80 Json actions in this app, that would be a lot of find-replace. Plus, when I finish modifying my client library to use POST requests, I would have to do it all over again. A one stop solution would be much preferable.

If your project already uses a base controller class, you can do one simple override:
protected override JsonResult Json(object data, string contentType,
Encoding contentEncoding, JsonRequestBehavior behavior)
{
// TODO: change all my GET Json request into POST
return base.Json(data, contentType, contentEncoding,
JsonRequestBehavior.AllowGet);
}
Keep in mind this should be a temporary crutch only!

1 comment:

Samuel (Mauro) said...
This comment has been removed by the author.