Problem
What is the purpose of Json Request Behavior?
If I want to limit HttpGet requests to my action, I can use the [HttpPost] attribute to decorate it.
Example:
[HttpPost]
public JsonResult Foo()
{
return Json("Secrets");
}
// Instead of:
public JsonResult Foo()
{
return Json("Secrets", JsonRequestBehavior.AllowGet);
}
Why isn’t [HttpPost] enough? Why does the framework’s JsonRequestBehavior “bug” us? AllowGet for every JsonResult that we have. If I want to deny get requests I’ll add the HttpPost attribute.
Asked by gdoron is supporting Monica
Solution #1
MVC defaults to DenyGet to protect you from a very particular attack involving JSON requests and to increase the likelihood that the consequences of enabling HTTP GET expose are considered before they happen.
This is in contrast to later, when it may be too late.
Note: Allowing the get should be safe if your action method does not return sensitive data.
Additional material from my Wrox ASP.NET MVC3 book
Related StackOverflow question
With most recents browsers (starting with Firefox 21, Chrome 27, or IE 10), this is no more a vulnerability.
Answered by danludwig
Solution #2
You may also build an actionfilterattribute to make things easy for yourself.
public class AllowJsonGetAttribute : ActionFilterAttribute
{
public override void OnResultExecuting(ResultExecutingContext filterContext)
{
var jsonResult = filterContext.Result as JsonResult;
if (jsonResult == null)
throw new ArgumentException("Action does not return a JsonResult,
attribute AllowJsonGet is not allowed");
jsonResult.JsonRequestBehavior = JsonRequestBehavior.AllowGet;
base.OnResultExecuting(filterContext);
}
}
and put it to good use in your activity
[AllowJsonGet]
public JsonResult MyAjaxAction()
{
return Json("this is my test");
}
Answered by Arjen de Mooij
Solution #3
Jsonresult is set to “Deny get” by default.
Assume we have a procedure like Belo.
[HttpPost]
public JsonResult amc(){}
It is set to “Deny Get” by default.
The following procedure is used.
public JsonResult amc(){}
When you need to allowget or use get ,we have to use JsonRequestBehavior. AllowGet.
public JsonResult amc()
{
return Json(new Modle.JsonResponseData { Status = flag, Message = msg, Html = html }, JsonRequestBehavior.AllowGet);
}
Answered by Deepakmahajan
Solution #4
AllowJsonGetAttribute is now applied to mvc-controllers (not just individual action-methods), which improves on @Arjen de Mooij’s answer:
using System.Web.Mvc;
public sealed class AllowJsonGetAttribute : ActionFilterAttribute, IActionFilter
{
void IActionFilter.OnActionExecuted(ActionExecutedContext context)
{
var jsonResult = context.Result as JsonResult;
if (jsonResult == null) return;
jsonResult.JsonRequestBehavior = JsonRequestBehavior.AllowGet;
}
public override void OnResultExecuting(ResultExecutingContext filterContext)
{
var jsonResult = filterContext.Result as JsonResult;
if (jsonResult == null) return;
jsonResult.JsonRequestBehavior = JsonRequestBehavior.AllowGet;
base.OnResultExecuting(filterContext);
}
}
Answered by XDS
Solution #5
You don’t require it.
If your action has the HttpPost attribute, you can ignore the JsonRequestBehavior attribute and use the overload without it. Without the JsonRequestBehavior enum, each method has an overload. They are as follows:
Without JsonRequestBehavior
protected internal JsonResult Json(object data);
protected internal JsonResult Json(object data, string contentType);
protected internal virtual JsonResult Json(object data, string contentType, Encoding contentEncoding);
With JsonRequestBehavior
protected internal JsonResult Json(object data, JsonRequestBehavior behavior);
protected internal JsonResult Json(object data, string contentType,
JsonRequestBehavior behavior);
protected internal virtual JsonResult Json(object data, string contentType,
Encoding contentEncoding, JsonRequestBehavior behavior);
Answered by CodingYoshi
Post is based on https://stackoverflow.com/questions/8464677/why-is-jsonrequestbehavior-needed