jQuery GetJSON Security Issues. Copying URL and pasting in the browser

Question

I am using the jQuery GetJSON call in my ASP page. It is something like the following code:

$.ajax({
    url: myUrl/myPage.aspx?callback=BookARoom,
    dataT         


        

Answer 1

There are two problems here.

First problem: GET requests are supposed to be safe. There are lots of things that can trigger a GET request. If you are changing state based on a GET request, your code is dangerously broken. Use POST.

Secondly, other websites can cause your user to make requests to your website. This is known as Cross-Site Request Forgery. The typical solution is to require a nonce with each request. Because the nonce is unknown to the other website, they can no longer forge requests. The link I provided will give you further reading on alternative solutions.