将 JsonRequestBehavior 设置为 AllowGet 时可以披露哪些“敏感信息" [英] What 'sensitive information' could be disclosed when setting JsonRequestBehavior to AllowGet

问题描述

当我 返回 Json(使用内置的MVC JsonResult helper):

I've been getting the same old error every time I test a new URL from my browser's address bar when I'm returning Json (using the built-in MVC JsonResult helper):

此请求已被阻止，因为在 GET 请求 中使用此请求时，敏感信息可能会泄露给第三方网站.要允许 GET 请求，请将 JsonRequestBehavior 设置为 AllowGet.

This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow GET requests, set JsonRequestBehavior to AllowGet.

这一次，我不是咕哝着确认并启动 Fiddler 来执行发布请求，而是想知道 GET 请求公开了 POST 到底是什么> 请求没有?

Rather than grunt in acknowledgement and fire up Fiddler to do a post request, this time, I'm wondering exactly what it is that a GET request exposes that a POST request doesn't?

推荐答案

假设你的网站有一个 GetUser 网络方法:

Say your website has a GetUser web method:

http://www.example.com/User/GetUser/32

返回一个 JSON 响应:

which returns a JSON response:

{ "Name": "John Doe" }

如果此方法只接受 POST 请求，那么只有向 http://www.example.com/User/GetUser/32 发出 AJAX 请求时，内容才会返回给浏览器使用 POST 方法.请注意，除非您已实施 CORS，否则浏览器将保护来自向您提出此请求的其他域的数据.

If this method accepts only POST requests, then the content will only be returned to the browser if an AJAX request is made to http://www.example.com/User/GetUser/32 using the POST method. Note that unless you have implemented CORS, the browser will protect the data from other domains making this request to yours.

但是，如果您允许 GET 请求，并且使用 GET 而不是 POST 发出类似于上述的 AJAX 请求，恶意用户可能会使用 脚本将您的 JSON 包含在他们自己站点的上下文中 标签.例如在 www.evil.com 上:

However, if you allowed GET requests then as well as making an AJAX request similar to the above with GET instead of POST, a malicious user could include your JSON in the context of their own site by using a script tag in the HTML. e.g. on www.evil.com:

<script src="http://www.example.com/User/GetUser/32"></script>

这个 JavaScript 应该对 www.evil.com 没用，因为应该没有办法读取你的 web 方法返回的对象.但是，由于旧版本浏览器(例如 Firefox 3)的错误，JavaScript 原型对象有可能被重新定义，并使得 www.evil.com 可以读取您的浏览器返回的数据.方法.这称为 JSON 劫持.

This JavaScript should be useless to www.evil.com because there should be no way of reading the object returned by your web method. However, due to bugs in old versions of browsers (e.g. Firefox 3), it is possible for JavaScript prototype objects to be redefined and make it possible for www.evil.com to read your data returned by your method. This is known as JSON Hijacking.

请参阅这篇博文，了解一些防止这种情况发生的方法.但是，这不是现代浏览器(Firefox、Chrome、IE)的更高版本的已知问题.

See this post for some methods of preventing this. However, it is not a known problem with the later versions of modern browsers (Firefox, Chrome, IE).

这篇关于将 JsonRequestBehavior 设置为 AllowGet 时可以披露哪些“敏感信息"的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！