问题描述
我使用asp.net MVC开发,将有Ajax交互的应用程序。我有JsonResult方法在控制器返回我的JSON序列化的数据。因此,例如,当一个请求发送到 http://somesite.com/findwidgets/ MVC序列化数据JSON和并发回
我使用jQuery在客户端来处理Ajax请求和再处理的结果。我没有任何麻烦的数据,但我发现,我可以要求 http://somesite.com/findwidgets / 从浏览器的地址栏,它将返回JSON数据的下载。
另外,如何确保他人无法简单地使使用要求和获取数据的 http://somesite.com/findwidgets / 的?
时的跨域权的话题在这里或者是说其他的安全问题?
感谢
您所描述的问题是同一个人是指询问他们如何能prevent人们从另一个网站上张贴自己的表单时。唯一合理的解释我所看到的是使用某种类型的会话密钥系统,其中每个请求生成一个密钥,每个后续请求都必须通过pviously生成的密钥进行验证$ P $。与没有钥匙或无效键到达的请求被拒绝访问。
这是因为JSON无法识别为文本MIME类型和浏览器只能在浏览器中直接显示文本的MIME类型。别的将作为下载而不是内嵌显示。
I am using asp.net MVC to develop an application that will have ajax interactions. I have JsonResult methods in the controller returning my json serialized data. So for example when a request is made to http://somesite.com/findwidgets/ mvc serializes the data as json and sends it back.
I am using jQuery on the client side to handle the ajax requests and to then manipulate the results. I am not having any trouble getting the data but i have found that i can make requests to http://somesite.com/findwidgets/ from the address bar of the browser and it will return the json data as a download.
Also, how do i ensure that others cannot simply make requests and grab data using http://somesite.com/findwidgets/ ?
Is cross domain the right topic here or is that speaking to other security problems?
Thanks
The issue you describe is the same one people refer to when asking how they can prevent people from posting to their form from another site. The only reasonable answer I have seen is to use some type of session key system wherein a key is generated for each request and each subsequent request must pass the previously generated key for validation. A request that arrives with no key or an invalid key is denied access.
This is because JSON is not recognized as a text mime type, and browsers will only display text mime types directly in the browser. Anything else will be offered as a download rather than displayed inline.
这篇关于安全性和跨域的ASP.NET MVC JsonResult和jQuery的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!