Resolve MVC Jquery "This request has been blocked because sensitive information is leaked to third-party Web sites when used in a GET request"

In an ASP. NET MVC project, this error occurs when using AJAX to send a GET request to the controller for JSON data: " This request has been blocked because sensitive information is disclosed to third-party Web sites when used in a GET request." To allow a GET request, set Jsonrequestbehavior to Allowget".

In fact, from the return of this error message we can already know the solution, look at this message: "Because when used in a GET request, the sensitive information will be disclosed to the third-party web site", we can only use the POST request. The following "to allow GET requests, set Jsonrequestbehavior to Allowget", which is a hint of the second workaround, is to set the JSON result object to allow HTTP GET requests from the client. Here are the specific workarounds:

Method one uses a POST request to invoke the controller to obtain the JSON data

Originally sent the AJAX request of the foreground JS code is as follows:

/* you can see that the type setting is a GET request */     $.ajax ({        type:'GET',        '/home/ Ajaxgetjsondata',                    success:function (data) {            alert (data);        },        error: Function (Error) {                            alert (error.responsetext);        }    });

Or

NULL function (data) {        alert (data);    });

Then we just have to change the code to any of the following two types:

/* This changes the AJAX parameter type to post and sends the POST request without an error. */     $.ajax ({        ' POST ',        '/home/ajaxgetjsondata ',        function  (data) {            alert (data);}        ,        function  (error) {            alert (error.responsetext);        }    }); 

Or

/* You can also make Ajax calls directly using the $.post method */     $.post (nullfunction  (data) {        alert (data);    });

Method two in the JSON result object returned by the controller, set Jsonrequestbehavior.allowget (Allow HTTP GET requests from the client)

The code in the original controller is as follows:

 Public actionresult ajaxgetjsondata ()    {        string" test data ";         return Json (strdata);       }

The changed code is as follows:

 Public actionresult ajaxgetjsondata ()    {        string" test data ";         // Here we set the second parameter jsonrequestbehavior to Allowget        return Json (strdata,jsonrequestbehavior.allowget);       }

We can see in the last return Json (list, jsonrequestbehavior.allowget) The second parameter jsonrequestbehavior.allowget is added, and the default is Jsonrequestbehavior.denyget. The reason we're setting up to allow HTTP GET requests here is because ASP. NET MVC is preventing the HTTP GET request from the client by default, in order to prevent the vulnerability of a Web site information leak. This is a well-known vulnerability, the name is: JSON hijacking vulnerability, so I recommend that Ajax use a POST request to obtain data to prevent important information from being stolen by a malicious attacker.

Here is a specific description of the MSDN documentation: allowing GET requests may cause users to access another site while they are still logged on in a Web site. This can generate a security vulnerability that causes information disclosure. For information about this vulnerability, see the articles on the blog of Phil Haack JSON hijacking, the article is in English, I have translated, click this link: JSON hijacking vulnerability (details on the use of JSON for data Hijacking Vulnerability defense strategy), You can also view this article: JSON hijacking vulnerability analysis and attack drills.

Resolve MVC Jquery "This request has been blocked because sensitive information is leaked to third-party Web sites when used in a GET request"