1

I'm getting the following error returned intermittently from my several of my controllers:

"This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow GET requests, set JsonRequestBehavior to AllowGet."

But in the return statement I do set JsonRequestBehavior to AllowGet

return Json(new {Success = true, Plan = populatedPlan}, JsonRequestBehavior.AllowGet);

I found the following article which describes a vulnerability when returning JSON with GET Requests.

https://haacked.com/archive/2009/06/25/json-hijacking.aspx/

I checked my code and some of the controllers were returning just a single JS array so I fixed those to return an object with the array assigned to a propery on that object. However, not all my controllers are doing this, like the one in my code snippet - that returns a JS object - but the response is still occasionally blocked.

How can I stop this error from happening?

[Edit] This is happening about 1 in every 200 requests. I'm just confused as to why it's happening when I'm already doing what the error message is explicitly telling me to do.

GooseZA
  • 1,015
  • 1
  • 10
  • 19
  • 1
    Possible duplicate of: https://stackoverflow.com/questions/8464677/why-is-jsonrequestbehavior-needed – Lennart May 07 '19 at 09:48
  • did you try to rebuild your project? – Hien Nguyen May 07 '19 at 09:54
  • @HienNguyen The project compiles fine. – GooseZA May 07 '19 at 11:38
  • Can you post your controller and script to call to question – Hien Nguyen May 07 '19 at 11:39
  • @Lennart - The issue is the same, yes, but the error message specifically tells me to specify AllowGet which I have done, and it still throws the error intermittently. If it blocked it every time it would be less of an issue but it's only happening every now and then. – GooseZA May 07 '19 at 11:43
  • Possible duplicate of [Why is JsonRequestBehavior needed?](https://stackoverflow.com/questions/8464677/why-is-jsonrequestbehavior-needed) – Michael Fayad Nov 01 '19 at 21:46
  • I have the same issue (every once in a while) with large Json's... Like you, I already `JsonRequestBehavior.AllowGet`... – BTC Jun 20 '23 at 14:04

2 Answers2

0

Make sure you don't have another JSON return without JsonRequestBehavior.AllowGet before reaching return Json(new {Success = true, Plan = populatedPlan}, JsonRequestBehavior.AllowGet);.

Stephen Kennedy
  • 20,585
  • 22
  • 95
  • 108
Orestes G.
  • 31
  • 2
0

I had same problem too,and i find out that my FilterAttribute blocked some request like this

  if (filterContext.RequestContext.HttpContext.Request.IsAjaxRequest())
      {
            filterContext.Result = new JsonResult()
            {
                Data = new
                {
                    IsAuthorize = false
                }                   
            };
        }

maybe you should check your FilterAttribute,and add AllowGet there too

AlexXie
  • 1