Using MVC3's AntiForgeryToken in HTTP GET to avoid Javascript CSRF vulnerability

Question

In regards to this Haacked blog, I\'m hesitant to implement the proposed anti-JSON GET hijacking solutions since

1. The recommended solutions to mitigating JS

Answer 1

I came to this problem and the solution was not so trivial however there is a fantastic blog to get you started this can be used with get and post ajax.

http://johan.driessen.se/posts/Updated-Anti-XSRF-Validation-for-ASP.NET-MVC-4-RC

If you place the following in the global name space all your post/gets can take advantage having an anti forgery token and you don't have to modify your ajax calls. Create an input element in a common page.

@Html.AntiForgeryToken()

The following javascript will read the anti forgery tokken and add it to the request header.

// Wire up the global jQuery ajaxSend event handler.
$(document).ajaxSend(namespace.ajax.globalSendHandler);

// 

// Global handler for all ajax send events.
// 
namespace.ajax.globalSendHandler = function (event, xhr, ajaxOptions) {
    // Add the anti forgery token
    xhr.setRequestHeader('__RequestVerificationToken', $("#__AjaxAntiForgeryForm input[name=__RequestVerificationToken]").val());
};