为什么需要 JsonRequestBehavior? [英] Why is JsonRequestBehavior needed?

问题描述

为什么需要Json Request Behavior?

如果我想将 HttpGet 请求限制在我的操作中，我可以使用 [HttpPost] 属性来装饰操作

If I want to restrict the HttpGet requests to my action I can decorate the action with the [HttpPost] attribute

示例:

[HttpPost]
public JsonResult Foo()
{
    return Json("Secrets");
}

// Instead of:
public JsonResult Foo()
{
    return Json("Secrets", JsonRequestBehavior.AllowGet);
}

为什么 [HttpPost] 不够用?
为什么框架会对我们拥有的每个 JsonResult 使用 JsonRequestBehavior.AllowGet 来错误"我们.如果我想拒绝获取请求，我将添加 HttpPost 属性.

Why isn't [HttpPost]sufficient?
Why the framework "bugs" us with the JsonRequestBehavior.AllowGet for every JsonResult that we have. If I want to deny get requests I'll add the HttpPost attribute.

推荐答案

MVC 默认为 DenyGet 以保护您免受涉及 JSON 请求的非常具体的攻击，以提高允许 HTTP GET 暴露在允许它们发生之前被考虑.

MVC defaults to DenyGet to protect you against a very specific attack involving JSON requests to improve the liklihood that the implications of allowing HTTP GET exposure are considered in advance of allowing them to occur.

这与事后可能为时已晚.

This is opposed to afterwards when it might be too late.

注意:如果您的操作方法不返回敏感数据，那么允许获取应该是安全的.

Note: If your action method does not return sensitive data, then it should be safe to allow the get.

进一步阅读我的 Wrox ASP.NET MVC3 书籍

默认情况下，ASP.NET MVC 框架不允许您响应带有 JSON 负载的 HTTP GET 请求.如果您需要将 JSON 发送到对 GET 的响应，您需要通过以下方式明确允许该行为使用 JsonRequestBehavior.AllowGet 作为 Json 的第二个参数方法.但是，恶意用户有可能获得访问JSON 有效负载通过称为 JSON 劫持的过程.你不想在 GET 请求中使用 JSON 返回敏感信息.为了更多详细信息，请参阅 Phil 在http://haacked.com/archive/2009/06/24/json-hijacking.aspx/ 或 这篇SO帖子.

By default, the ASP.NET MVC framework does not allow you to respond to an HTTP GET request with a JSON payload. If you need to send JSON in response to a GET, you'll need to explicitly allow the behavior by using JsonRequestBehavior.AllowGet as the second parameter to the Json method. However, there is a chance a malicious user can gain access to the JSON payload through a process known as JSON Hijacking. You do not want to return sensitive information using JSON in a GET request. For more details, see Phil's post at http://haacked.com/archive/2009/06/24/json-hijacking.aspx/ or this SO post.

哈克，菲尔(2011 年).专业的 ASP.NET MVC 3(Wrox 程序员到程序员)(Kindle 位置 6014-6020).大约Kindle版.

Haack, Phil (2011). Professional ASP.NET MVC 3 (Wrox Programmer to Programmer) (Kindle Locations 6014-6020). Wrox. Kindle Edition.

相关的 StackOverflow 问题

使用最新浏览器(从Firefox 21、Chrome 27 或 IE 10)，这不再是一个漏洞.

这篇关于为什么需要 JsonRequestBehavior?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！