0

I have an ASP.NET MVC action that is returning JSON. The only place I am calling that action is from one page with this code:

$.ajax({
    type: 'POST',
    url: actionUrl,
    dataType: 'json',
    ...
 });

The page and this AJAX call are working fine from the user and testing perspective. However I found one error in the log saying:

This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow GET requests, set JsonRequestBehavior to AllowGet.

and indicating my "actionUrl" in the SCRIPT_NAME server variable. The REQUEST_METHOD is GET and QUERY_STRING is empty. There is also a HTTP_REFERER server variable which indicates it is coming from the page with the above $.ajax() call, so it doesn't seem likely it's someone is accessing the JSON action manually.

The only thing I have come up with is that something strange might happen if the user hits the Back or Refresh buttons in the browser, but that doesn't seem right.

Is there any solid explanation of how that one GET request could have been generated?

JoelFan
  • 37,465
  • 35
  • 132
  • 205
  • What triggers the ajax call? Is the URL used in a form somewhere, or an `` tag? – Pointy Nov 18 '13 at 16:18
  • The ajax call is in an event handler that I provided to a 3rd party control – JoelFan Nov 18 '13 at 16:22
  • Does your controller action have [HttpPost] or [HttpGet] above it? You can place these attributes right above the public ActionResult ... – blackops Nov 18 '13 at 16:24
  • No it doesn't have either of those attributes. – JoelFan Nov 18 '13 at 16:26
  • It will default to GET. Place [HttpPost] above it. See what you get. – blackops Nov 18 '13 at 16:27
  • http://stackoverflow.com/questions/8464677/why-is-jsonrequestbehavior-needed – Dylan Hayes Nov 18 '13 at 16:27
  • 1
    "It will default to GET"... Really? I am specifying POST explicitly in my $.ajax call! – JoelFan Nov 18 '13 at 16:32
  • @DylanHayes, I don't see how that linked question addresses my question of "How could a GET request have been generated when my $.ajax code specifies POST"? – JoelFan Nov 18 '13 at 16:34
  • Lets back it up a second. Have you set a break point on your controller action, and the ajax call is hitting the action or is it not? Are you having trouble connecting to the action or returning data? – blackops Nov 18 '13 at 16:36
  • 1
    @blackops, if I put the [HttpPost] there, and a GET request is still generated, then all that will be accomplished is to get a different error. That does not answer the question of where is the GET request coming from – JoelFan Nov 18 '13 at 16:36
  • @blackops, as I said in my question, everything is working fine for our users and in my testing. If I put a breakpoint there I see that it is coming in as a POST and returning the JSON with no problem. The only issue is figuring out that 1 error in my log. – JoelFan Nov 18 '13 at 16:38
  • Note that anybody can see the URLs that your client is using, and simply typing in the URL of that action will cause a GET transaction to be run from the browser. – Pointy Nov 18 '13 at 16:41
  • @Pointy I don't think they are typing it in because (as indicated in my question) I am seeing an HTTP_REFERER in the log entry – JoelFan Nov 18 '13 at 16:42
  • 1
    Well, strictly speaking you can't really trust REFERER, but I agree that it's unlikely. But any use of that URL as an implicit link would also cause a GET, and you'd get a REFERER then too. Or if it's in a `
    ` without a "method" attribute.
     – Pointy Nov 18 '13 at 16:47
  • @Pointy, it is only used from the $.ajax code... nowhere else on the site – JoelFan Nov 18 '13 at 16:49
  • I agree it's "possible" someone used Fiddler or some other technique to generate this request, but it came from an authenticated user and it's VERY unlikely, so I am trying to figure out a more likely cause – JoelFan Nov 18 '13 at 16:52
  • Is it happening every time the request is made? Or it occurred only once? – Felipe Miosso Nov 18 '13 at 16:56
  • @FelipeMiosso, as stated in the question (in bold :) "The page is working fine. However I found one error in the log" – JoelFan Nov 18 '13 at 16:58
  • @JoelFan sorry i misunderstood the question, i thought you were asking why it was prompting you to use the allowget requestbehavior – Dylan Hayes Nov 18 '13 at 17:06
  • Does this happen on all browsers? Do you have any anywhere? – rivarolle Nov 18 '13 at 17:36
  • No . It only hapenned one time. It was on IE 8 / Windows XP (ack!) – JoelFan Nov 18 '13 at 17:44
  • Maybe caching issues on the client? Did the javascript changed (used to do a get instead of a post?)? – rivarolle Nov 18 '13 at 17:57
  • @rivarolle, no there was no change... this is the first time the code has gone live – JoelFan Nov 18 '13 at 18:33

2 Answers2

1

I can only guess what probably happened. If someone is looking at the Network tab of the Developer Tools in their browser, they can see the file being called. If they right click the file and "Open in new tab", the page will be opened with a GET, and you will see the error message. Someone was probably testing and manually opened the link.

rooter
  • 189
  • 3
  • 11
-2

Probably $.ajax uses some get requests by default, use $.post() instead of it.

$.post( url, function( data ) {
    $( ".result" ).html( data );
});
Neoligero
  • 37
  • 1
  • 4
  • You are saying that $.ajax will do a GET sometimes, even if I say type: 'POST' ? The jquery doc explicitly says that $.post() is just a shorthand for $.ajax({ type: 'POST' }) – JoelFan Nov 18 '13 at 17:18
  • Just was a soppositon from memory, but the code is corret if u want fix that warning. You are wellcome. – Neoligero Nov 18 '13 at 20:01