What 'sensitive information' could be disclosed when setting JsonRequestBehavior to AllowGet

Question

I\'ve been getting the same old error every time I test a new URL from my browser\'s address bar when I\'m returning Json (using the built-in

Answer 1

By default, the ASP.NET MVC framework does not allow you to respond to a GET request with a JSON payload as there is a chance a malicious user can gain access to the payload through a process known as JSON Hijacking. You do not want to return sensitive information using JSON in a GET request.

If you need to send JSON in response to a GET, and aren't exposing sensitive data, you can explicitly allow the behavior by passing JsonRequestBehavior.AllowGet as a second parameter to the Json method.

Such as

  [HttpGet] //No need to decorate, as by default it will be GET
  public JsonResult GetMyData(){  
    var myResultDataObject = buildMyData(); // build, but keep controller thin
    // delegating buildMyData to builder/Query Builder using CQRS makes easy :)
    return Json(myResultDataObject, JsonRequestBehavior.AllowGet);
  }

Here is an interesting article from Phil Haack JSON Hijacking about why not to use Json with GET method