A. Murray A. Murray - 11 months ago 124
JSON Question

What 'sensitive information' could be disclosed when setting JsonRequestBehavior to AllowGet

I've been getting the same old error every time I test a new

from my browser's address bar when I'm
returning Json
(using the built-in
MVC JsonResult helper

This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a
GET request
. To allow
GET requests
, set

Rather than grunt in acknowledgement and fire up Fiddler to do a post request, this time, I'm wondering exactly what it is that a
request exposes that a
request doesn't?

Answer Source

Say your website has a GetUser web method:


which returns a JSON response:

{ "Name": "John Doe" }

If this method accepts only POST requests, then the content will only be returned to the browser if an AJAX request is made to http://www.example.com/User/GetUser/32 using the POST method. Note that unless you have implemented CORS, the browser will protect the data from other domains making this request to yours.

However, if you allowed GET requests then as well as making an AJAX request similar to the above with GET instead of POST, a malicious user could include your JSON in the context of their own site by using a script tag in the HTML. e.g. on www.evil.com:

<script src="http://www.example.com/User/GetUser/32"></script>

This JavaScript should be useless to www.evil.com because there should be no way of reading the object returned by your web method. However, due to bugs in old versions of browsers (e.g. Firefox 3), it is possible for JavaScript prototype objects to be redefined and make it possible for www.evil.com to read your data returned by your method. This is known as JSON Hijacking.

See this post for some methods of preventing this. However, it is not a known problem with the later versions of modern browsers (Firefox, Chrome, IE).