When I used AJAX to get JSON information I originally received an error mentioning the request was blocked because sensitive information could be disclosed. I've read around on StackOverflow about JSON Hijacking and a variety of other security concerns. However, a majority of these posts date years back and I was wondering if the answers themselves are a bit dated... and frankly I found it all to be relatively confusing.
I'm providing a sample script I'm currently using that uses AJAX to get JSON information that utilized JsonRequestBehavior.AllowGet to work properly. This script is returning the infromation I'm asking it to. It's returning SalesOrder numbers and nothing more -- so I don't feel it's passing "sensitive" information. Should I still be concerned about any security vulnerabilities though? Is it bad practice to use the AllowGet?
Here is the script
<script>
$(document).ready(function () {
$('#printBtn').click(function () {
$.ajax({
type: 'GET',
url: '/Home/GetSalesOrderListAsJSON',
success: function(response) {
var stringOfSalesOrders = "";
var totalToMove = 0;
response.forEach(function(str) {
stringOfSalesOrders += str + ",";
totalToMove++;
});
alert("Number being moved: " + totalToMove);
$.ajax({
type: "POST",
url: "/Home/PostResults",
data: { s: numberOfActiveIds},
success: function (results) {
if(results == "Success") {
window.location.href = '/Home/Results';
}
}
});
}
});
});
});
</script>
Again, I understand this question has been asked in the past but was looking for an updated, current answer if possible. If there are valuable resources or posts worth reading please share them and I'll be sure to either mark this question as a duplicate or delete it altogether!
Thanks!
