安全性和跨域的ASP.NET MVC JsonResult和jQuery安全性、ASP、NET、jQuery
我使用asp.net MVC开发,将有Ajax交互的应用程序。我有JsonResult方法在控制器返回我的JSON序列化的数据。因此,例如,当一个请求发送到 http://somesite.com/findwidgets/ MVC序列化数据JSON和并发回
我使用jQuery在客户端来处理Ajax请求和再处理的结果。我没有任何麻烦的数据,但我发现,我可以要求 http://somesite.com/findwidgets / 从浏览器的地址栏,它将返回JSON数据的下载。
另外,如何确保他人无法简单地使使用要求和获取数据的 http://somesite.com/findwidgets / 的?
时的跨域权的话题在这里或者是说其他的安全问题?
感谢
解决方案另外,如何确保其他人 不能简单地发出请求和抢 使用数据 http://somesite.com/findwidgets/ ?
您所描述的问题是同一个人是指询问他们如何能prevent人们从另一个网站上张贴自己的表单时。唯一合理的解释我所看到的是使用某种类型的会话密钥系统,其中每个请求生成一个密钥,每个后续请求都必须通过pviously生成的密钥进行验证$ P $。与没有钥匙或无效键到达的请求被拒绝访问。
我发现,我可以提出请求 到 http://somesite.com/findwidgets/ 从浏览器的地址栏 它将返回JSON数据作为 下载。
这是因为JSON无法识别为文本MIME类型和浏览器只能在浏览器中直接显示文本的MIME类型。别的将作为下载而不是内嵌显示。
I am using asp.net MVC to develop an application that will have ajax interactions. I have JsonResult methods in the controller returning my json serialized data. So for example when a request is made to http://somesite.com/findwidgets/ mvc serializes the data as json and sends it back.
I am using jQuery on the client side to handle the ajax requests and to then manipulate the results. I am not having any trouble getting the data but i have found that i can make requests to http://somesite.com/findwidgets/ from the address bar of the browser and it will return the json data as a download.
Also, how do i ensure that others cannot simply make requests and grab data using http://somesite.com/findwidgets/ ?
Is cross domain the right topic here or is that speaking to other security problems?
Thanks
解决方案Also, how do i ensure that others cannot simply make requests and grab data using http://somesite.com/findwidgets/ ?
The issue you describe is the same one people refer to when asking how they can prevent people from posting to their form from another site. The only reasonable answer I have seen is to use some type of session key system wherein a key is generated for each request and each subsequent request must pass the previously generated key for validation. A request that arrives with no key or an invalid key is denied access.
i have found that i can make requests to http://somesite.com/findwidgets/ from the address bar of the browser and it will return the json data as a download.
This is because JSON is not recognized as a text mime type, and browsers will only display text mime types directly in the browser. Anything else will be offered as a download rather than displayed inline.
