Why Is Jsonrequestbehavior Needed

Why is JsonRequestBehavior needed?

MVC defaults to DenyGet to protect you against a very specific attack involving JSON requests to improve the liklihood that the implications of allowing HTTP GET exposure are considered in advance of allowing them to occur.

This is opposed to afterwards when it might be too late.

Note: If your action method does not return sensitive data, then it should be safe to allow the get.

Further reading from my Wrox ASP.NET MVC3 book

By default, the ASP.NET MVC framework does not allow you to respond to
an HTTP GET request with a JSON payload. If you need to send JSON in
response to a GET, you'll need to explicitly allow the behavior by
using JsonRequestBehavior.AllowGet as the second parameter to the Json
method. However, there is a chance a malicious user can gain access to
the JSON payload through a process known as JSON Hijacking. You do not
want to return sensitive information using JSON in a GET request. For
more details, see Phil's post at
http://haacked.com/archive/2009/06/24/json-hijacking.aspx/ or this SO post.

Haack, Phil (2011). Professional ASP.NET MVC 3 (Wrox Programmer to
Programmer) (Kindle Locations 6014-6020). Wrox. Kindle Edition.

Related StackOverflow question

With most recents browsers (starting with Firefox 21, Chrome 27, or IE 10), this is no more a vulnerability.

To allow GET requests, set JsonRequestBehavior to AllowGet

You have simple typo/syntax error

return Json(new { total = total, data = data,JsonRequestBehavior.AllowGet });

The JsonRequestBehavior.AllowGet is the second parameter of Json - it shouldnt be part of the object

return Json(new { total = total, data = data }, JsonRequestBehavior.AllowGet);

Can we use JsonRequestBehavior.AllowGet with [HttpPost] attribute?

Adding the JsonRequestBehavior.AllowGet parameter to your return Json has no use since your method is decorated with [HttpPost] so it can't be called using the GET verb.

You say that sometimes your system "hits with get and sometimes with post" but if you try to call this method using a GET request the routing system will most likely get a 404.

There is no way this method answers a GET request, so adding the JsonRequestBehavior.AllowGet only makes the code less clear.

If your action must be reachabe using POST and GET verbs, it should be decorated with [AcceptVerbs(HttpVerbs.Post | HttpVerbs.Get)] or [AcceptVerbs("Get", "Post")]

ASP.NET Core - The name 'JsonRequestBehavior' does not exist in the current context

Returning Json-formatted data:

public class ClientController : Controller
{
    public JsonResult CountryLookup()
    {
         var countries = new List<SearchTypeAheadEntity>
         {
             new SearchTypeAheadEntity {ShortCode = "US", Name = "United States"},
             new SearchTypeAheadEntity {ShortCode = "CA", Name = "Canada"}
         };

         return Json(countries);
    }
}

Why are GET requests returning JSON disallowed by default?

The reason for the DenyGet default is on MSDN with a link to Phil Haack's blog for further details. Looks like a Cross-Site scripting vulnerability.

set JsonRequestBehavior ' in ASP.Net MVC5

public JsonResult NewsLike(int ID)
{
    int Like=RNews.Like(ID);
    return Json(Like, JsonRequestBehavior.AllowGet);
}

you have to provide JsonRequestBehavior to return Json result to view.

Note: Json request Get behavior and HTTP Get request are not same.

JsonRequestBehavior equivalent in Json.Net with Asp.Net Mvc

You don't need it because in the custom JsonNetResult that you have shown there's no such test. So you will never get an exception like the one you would get with the standard JsonResult if you invoke the action with GET.

If you wanted you could implement exactly the same property on your custom JsonNetResult property.

public class JsonNetResult : ActionResult
{
    public JsonNetResult()
    {
        SerializerSettings = new JsonSerializerSettings();
        JsonRequestBehavior = JsonRequestBehavior.DenyGet;
    }

    public JsonRequestBehavior JsonRequestBehavior { get; set; }
    ....

    public override void ExecuteResult(ControllerContext context)
    {
        if (context == null)
            throw new ArgumentNullException("context");

        var httpMethod = context.HttpContext.Request.HttpMethod;

        if (JsonRequestBehavior == JsonRequestBehavior.DenyGet && 
            string.Equals(httpMethod, "GET", StringComparison.OrdinalIgnoreCase))
        {
            throw new InvalidOperationException("You can't access this action with GET");
        }

        ...
    }
}

and if you wanted to explicitly allow this for a particular action:

protected ActionResult JsonNet(object data)
{
    JsonNetResult result = new JsonNetResult();
    result.JsonRequestBehavior = JsonRequestBehavior.AllowGet;
    result.Data = data;
    return result;
}

Related Topics

How to Detect the Encoding/Codepage of a Text File

Passing Objects by Reference or Value in C#

C# Webbrowser Ajax Call

Set Object Property Using Reflection

Use of Finalize/Dispose Method in C#

Typenamehandling Caution in Newtonsoft Json

How to Resize an Image C#

Performance Differences Between Debug and Release Builds

Creating a Byte Array from a Stream

How to Copy the Contents of One Stream to Another

Why Is Floating Point Arithmetic in C# Imprecise

How Would You Count Occurrences of a String (Actually a Char) Within a String

One Dbcontext Per Web Request... Why

Using C# Regular Expressions to Remove HTML Tags

Why Are Cdecl Calls Often Mismatched in the "Standard" P/Invoke Convention

How to Handle Both a Single Item and an Array For the Same Property Using Json.Net

C++ Union in C#

How to Open a Chrome Profile Through --User-Data-Dir Argument of Selenium


Leave a reply



Submit