Why is JsonRequestBehavior needed?
MVC defaults to DenyGet
to protect you against a very specific attack involving JSON requests to improve the liklihood that the implications of allowing HTTP GET
exposure are considered in advance of allowing them to occur.
This is opposed to afterwards when it might be too late.
Note: If your action method does not return sensitive data, then it should be safe to allow the get.
Further reading from my Wrox ASP.NET MVC3 book
By default, the ASP.NET MVC framework does not allow you to respond to
an HTTP GET request with a JSON payload. If you need to send JSON in
response to a GET, you'll need to explicitly allow the behavior by
using JsonRequestBehavior.AllowGet as the second parameter to the Json
method. However, there is a chance a malicious user can gain access to
the JSON payload through a process known as JSON Hijacking. You do not
want to return sensitive information using JSON in a GET request. For
more details, see Phil's post at
http://haacked.com/archive/2009/06/24/json-hijacking.aspx/ or this SO post.Haack, Phil (2011). Professional ASP.NET MVC 3 (Wrox Programmer to
Programmer) (Kindle Locations 6014-6020). Wrox. Kindle Edition.
Related StackOverflow question
With most recents browsers (starting with Firefox 21, Chrome 27, or IE 10), this is no more a vulnerability.
To allow GET requests, set JsonRequestBehavior to AllowGet
You have simple typo/syntax error
return Json(new { total = total, data = data,JsonRequestBehavior.AllowGet });
The JsonRequestBehavior.AllowGet
is the second parameter of Json
- it shouldnt be part of the object
return Json(new { total = total, data = data }, JsonRequestBehavior.AllowGet);
Can we use JsonRequestBehavior.AllowGet with [HttpPost] attribute?
Adding the JsonRequestBehavior.AllowGet
parameter to your return Json has no use since your method is decorated with [HttpPost]
so it can't be called using the GET verb.
You say that sometimes your system "hits with get and sometimes with post" but if you try to call this method using a GET request the routing system will most likely get a 404.
There is no way this method answers a GET request, so adding the JsonRequestBehavior.AllowGet
only makes the code less clear.
If your action must be reachabe using POST and GET verbs, it should be decorated with [AcceptVerbs(HttpVerbs.Post | HttpVerbs.Get)]
or [AcceptVerbs("Get", "Post")]
ASP.NET Core - The name 'JsonRequestBehavior' does not exist in the current context
Returning Json-formatted data:
public class ClientController : Controller
{
public JsonResult CountryLookup()
{
var countries = new List<SearchTypeAheadEntity>
{
new SearchTypeAheadEntity {ShortCode = "US", Name = "United States"},
new SearchTypeAheadEntity {ShortCode = "CA", Name = "Canada"}
};
return Json(countries);
}
}
Why are GET requests returning JSON disallowed by default?
The reason for the DenyGet default is on MSDN with a link to Phil Haack's blog for further details. Looks like a Cross-Site scripting vulnerability.
set JsonRequestBehavior ' in ASP.Net MVC5
public JsonResult NewsLike(int ID)
{
int Like=RNews.Like(ID);
return Json(Like, JsonRequestBehavior.AllowGet);
}
you have to provide JsonRequestBehavior to return Json result to view.
Note: Json request Get behavior and HTTP Get request are not same.
JsonRequestBehavior equivalent in Json.Net with Asp.Net Mvc
You don't need it because in the custom JsonNetResult
that you have shown there's no such test. So you will never get an exception like the one you would get with the standard JsonResult
if you invoke the action with GET.
If you wanted you could implement exactly the same property on your custom JsonNetResult
property.
public class JsonNetResult : ActionResult
{
public JsonNetResult()
{
SerializerSettings = new JsonSerializerSettings();
JsonRequestBehavior = JsonRequestBehavior.DenyGet;
}
public JsonRequestBehavior JsonRequestBehavior { get; set; }
....
public override void ExecuteResult(ControllerContext context)
{
if (context == null)
throw new ArgumentNullException("context");
var httpMethod = context.HttpContext.Request.HttpMethod;
if (JsonRequestBehavior == JsonRequestBehavior.DenyGet &&
string.Equals(httpMethod, "GET", StringComparison.OrdinalIgnoreCase))
{
throw new InvalidOperationException("You can't access this action with GET");
}
...
}
}
and if you wanted to explicitly allow this for a particular action:
protected ActionResult JsonNet(object data)
{
JsonNetResult result = new JsonNetResult();
result.JsonRequestBehavior = JsonRequestBehavior.AllowGet;
result.Data = data;
return result;
}
Related Topics
How to Detect the Encoding/Codepage of a Text File
Passing Objects by Reference or Value in C#
Set Object Property Using Reflection
Use of Finalize/Dispose Method in C#
Typenamehandling Caution in Newtonsoft Json
Performance Differences Between Debug and Release Builds
Creating a Byte Array from a Stream
How to Copy the Contents of One Stream to Another
Why Is Floating Point Arithmetic in C# Imprecise
How Would You Count Occurrences of a String (Actually a Char) Within a String
One Dbcontext Per Web Request... Why
Using C# Regular Expressions to Remove HTML Tags
Why Are Cdecl Calls Often Mismatched in the "Standard" P/Invoke Convention
How to Handle Both a Single Item and an Array For the Same Property Using Json.Net
How to Open a Chrome Profile Through --User-Data-Dir Argument of Selenium