Thursday, July 20, 2017

System.InvalidOperationException: This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow GET requests, set JsonRequestBehavior to AllowGet

I encountered error “This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow GET requests, set JsonRequestBehavior to AllowGet.” when I tried to return JSON response from MVC controller.

Here is a MVC Controller method, which returns the JSON response.

 public JsonResult GetUserClaims(string userID)
        {
            var response =_userManager.GetClaims(userID);
            return Json(response);

        }


This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow GET requests, set JsonRequestBehavior to AllowGet.

Here is a reason for this exception:
By default, the ASP.NET MVC framework does not allow you to respond to an HTTP GET request with a JSON payload.

If you need to send JSON in response to a GET, you'll need to explicitly allow the behavior by using JsonRequestBehavior.AllowGet as the second parameter to the Json method. However, there is a chance a malicious user can gain access to the JSON payload through a process known as JSON Hijacking. You do not want to return sensitive information using JSON in a GET request.

Here the way to set JsonRequestBehavior to AllowGet for JSON response

   public JsonResult GetUserClaims(string userID)
        {
            var response =_userManager.GetClaims(userID);
            return Json(response,JsonRequestBehavior.AllowGet);

        }

No comments:

SQL Server - Identify unused indexes

 In this blog, we learn about the index usage information (SYS.DM_DB_INDEX_USAGE_STATS) and analyze the index usage data (USER_SEEKS, USER_S...