问题
I am using asp.net MVC to develop an application that will have ajax interactions. I have JsonResult methods in the controller returning my json serialized data. So for example when a request is made to http://somesite.com/findwidgets/ mvc serializes the data as json and sends it back.
I am using jQuery on the client side to handle the ajax requests and to then manipulate the results. I am not having any trouble getting the data but i have found that i can make requests to http://somesite.com/findwidgets/ from the address bar of the browser and it will return the json data as a download.
Also, how do i ensure that others cannot simply make requests and grab data using http://somesite.com/findwidgets/ ?
Is cross domain the right topic here or is that speaking to other security problems?
Thanks
回答1:
Also, how do i ensure that others cannot simply make requests and grab data using http://somesite.com/findwidgets/ ?
The issue you describe is the same one people refer to when asking how they can prevent people from posting to their form from another site. The only reasonable answer I have seen is to use some type of session key system wherein a key is generated for each request and each subsequent request must pass the previously generated key for validation. A request that arrives with no key or an invalid key is denied access.
i have found that i can make requests to http://somesite.com/findwidgets/ from the address bar of the browser and it will return the json data as a download.
This is because JSON is not recognized as a text mime type, and browsers will only display text mime types directly in the browser. Anything else will be offered as a download rather than displayed inline.
回答2:
consider checking for request host also, and limit it to the current domain.
回答3:
Also you can use IsAjaxRequest() property of the controller (if it false - return null result for example). In order to prevent posting/getting the data from other sites you can check Request.UrlReferrer property (but the browser can lie about it).
来源:https://stackoverflow.com/questions/470011/security-and-cross-domain-with-asp-net-mvc-jsonresult-and-jquery