什么“敏感信息”可以设置JsonRequestBehavior到AllowGet时披露 [英] What 'sensitive information' could be disclosed when setting JsonRequestBehavior to AllowGet

问题描述

我一直在每次得到同样的旧的错误，我从我的浏览器的地址栏测试一个新的URL，当我返回JSON（使用内置MVC JsonResult助手）：

I've been getting the same old error every time I test a new URL from my browser's address bar when I'm returning Json (using the built-in MVC JsonResult helper):

该请求已被阻止，因为敏感信息可能被泄露给第三方网站时，这在使用GET请求。要允许GET请求，JsonRequestBehavior设置为AllowGet。

This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow GET requests, set JsonRequestBehavior to AllowGet.

而不是确认咕噜和火起来提琴手做一个POST请求，这一次，我想知道它到底是什么，一个GET请求公开了POST请求不？

Rather than grunt in acknowledgement and fire up Fiddler to do a post request, this time, I'm wondering exactly what it is that a GET request exposes that a POST request doesn't?

推荐答案

如果您的网站有一个的getUser Web方法：

Say your website has a GetUser web method:

http://www.example.com/User/GetUser/32

它返回一个JSON响应：

which returns a JSON response:

{ "Name": "John Doe" }

如果这个方法只接受POST请求，那么如果一个AJAX请求到 http://www.example.com/User/GetUser/32 <所做的内容才会返回给浏览器/ code>使用POST方法。需要注意的是，除非您已实现 CORS ，浏览器将保护其他域使得数据这要求你的。

If this method accepts only POST requests, then the content will only be returned to the browser if an AJAX request is made to http://www.example.com/User/GetUser/32 using the POST method. Note that unless you have implemented CORS, the browser will protect the data from other domains making this request to yours.

不过，如果你允许的话GET请求，以及使一个AJAX请求类似于上面用GET而不是POST，恶意用户可以通过使用在HTML脚本标记。例如在 www.evil.com ：

However, if you allowed GET requests then as well as making an AJAX request similar to the above with GET instead of POST, a malicious user could include your JSON in the context of their own site by using a script tag in the HTML. e.g. on www.evil.com:

<script src="http://www.example.com/User/GetUser/32"></script>

此JavaScript应该是没用的 www.evil.com ，因为应该没有阅读您的Web方法返回的对象的方式。然而，由于旧版本浏览器（如Firefox 3中）的错误，它有可能被重新定义，并有可能使 www.evil.com 来的JavaScript对象原型读取您的方法返回的数据。这就是所谓的JSON劫持。

This JavaScript should be useless to www.evil.com because there should be no way of reading the object returned by your web method. However, due to bugs in old versions of browsers (e.g. Firefox 3), it is possible for JavaScript prototype objects to be redefined and make it possible for www.evil.com to read your data returned by your method. This is known as JSON Hijacking.

请参阅这个帖子为preventing本的一些方法。然而，这是不是与更高版本的现代浏览器（火狐，Chrome，IE）的已知问题

See this post for some methods of preventing this. However, it is not a known problem with the later versions of modern browsers (Firefox, Chrome, IE).

这篇关于什么“敏感信息”可以设置JsonRequestBehavior到AllowGet时披露的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！