安全和跨域与ASP.NET MVC JsonResult和jQuery [英] Security and Cross Domain with ASP.NET MVC JsonResult and jQuery
问题描述
我使用asp.net MVC开发一个应用程序,将有一个Ajax交互。我有JsonResult方法在控制器返回我的json序列化数据。例如,当您向 http://somesite.com/findwidgets/ mvc序列化数据发出请求时作为json并发送回来。
I am using asp.net MVC to develop an application that will have ajax interactions. I have JsonResult methods in the controller returning my json serialized data. So for example when a request is made to http://somesite.com/findwidgets/ mvc serializes the data as json and sends it back.
我在客户端使用jQuery来处理ajax请求,然后操作结果。我没有任何麻烦获取数据,但我发现我可以请求 http://somesite.com/ findwidgets / 从浏览器的地址栏,它将返回json数据作为下载。
I am using jQuery on the client side to handle the ajax requests and to then manipulate the results. I am not having any trouble getting the data but i have found that i can make requests to http://somesite.com/findwidgets/ from the address bar of the browser and it will return the json data as a download.
此外,如何确保其他人无法使用 http://somesite.com/findwidgets/ ?
Also, how do i ensure that others cannot simply make requests and grab data using http://somesite.com/findwidgets/ ?
跨域是这里的正确话题,还是说其他安全问题?
Is cross domain the right topic here or is that speaking to other security problems?
感谢
推荐答案
如何确保其他人
不能简单地提出请求并使用
获取
数据 http ://somesite.com/findwidgets/ ?
您描述的问题与提问时所指的问题相同如何防止人们从另一个网站张贴到他们的形式。我看到的唯一合理的答案是使用某种类型的会话密钥系统,其中为每个请求生成密钥,并且每个后续请求必须通过先前生成的密钥用于验证。没有密钥或密钥无效的请求被拒绝访问。
The issue you describe is the same one people refer to when asking how they can prevent people from posting to their form from another site. The only reasonable answer I have seen is to use some type of session key system wherein a key is generated for each request and each subsequent request must pass the previously generated key for validation. A request that arrives with no key or an invalid key is denied access.
我发现我可以请求
从浏览器的地址栏中 http://somesite.com/findwidgets/
,它将以
下载的形式返回json数据。
i have found that i can make requests to http://somesite.com/findwidgets/ from the address bar of the browser and it will return the json data as a download.
这是因为JSON无法识别为文本mime类型,浏览器只会直接在浏览器中显示文本mime类型。其他任何内容都将作为下载内容提供,而不是内联显示。
This is because JSON is not recognized as a text mime type, and browsers will only display text mime types directly in the browser. Anything else will be offered as a download rather than displayed inline.
这篇关于安全和跨域与ASP.NET MVC JsonResult和jQuery的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
