Security and Cross Domain with ASP.NET MVC JsonResult and jQuery

By : Jeremy
Source: Stackoverflow.com
Question!

I am using asp.net MVC to develop an application that will have ajax interactions. I have JsonResult methods in the controller returning my json serialized data. So for example when a request is made to http://somesite.com/findwidgets/ mvc serializes the data as json and sends it back.

I am using jQuery on the client side to handle the ajax requests and to then manipulate the results. I am not having any trouble getting the data but i have found that i can make requests to http://somesite.com/findwidgets/ from the address bar of the browser and it will return the json data as a download.

Also, how do i ensure that others cannot simply make requests and grab data using http://somesite.com/findwidgets/ ?

Is cross domain the right topic here or is that speaking to other security problems?

Thanks

By : Jeremy


Answers

Also you can use IsAjaxRequest() property of the controller (if it false - return null result for example). In order to prevent posting/getting the data from other sites you can check Request.UrlReferrer property (but the browser can lie about it).

By : zihotki


consider checking for request host also, and limit it to the current domain.



Also, how do i ensure that others cannot simply make requests and grab data using http://somesite.com/findwidgets/ ?

The issue you describe is the same one people refer to when asking how they can prevent people from posting to their form from another site. The only reasonable answer I have seen is to use some type of session key system wherein a key is generated for each request and each subsequent request must pass the previously generated key for validation. A request that arrives with no key or an invalid key is denied access.

i have found that i can make requests to http://somesite.com/findwidgets/ from the address bar of the browser and it will return the json data as a download.

This is because JSON is not recognized as a text mime type, and browsers will only display text mime types directly in the browser. Anything else will be offered as a download rather than displayed inline.

By : Chris


This video can help you solving your question :)
By: admin