Jquery – Security and Cross Domain with ASP.NET MVC JsonResult and jQuery

ajaxasp.net-mvccross-domainjqueryjson

I am using asp.net MVC to develop an application that will have ajax interactions. I have JsonResult methods in the controller returning my json serialized data. So for example when a request is made to http://somesite.com/findwidgets/ mvc serializes the data as json and sends it back.

I am using jQuery on the client side to handle the ajax requests and to then manipulate the results. I am not having any trouble getting the data but i have found that i can make requests to http://somesite.com/findwidgets/ from the address bar of the browser and it will return the json data as a download.

Also, how do i ensure that others cannot simply make requests and grab data using http://somesite.com/findwidgets/ ?

Is cross domain the right topic here or is that speaking to other security problems?

Thanks

Best Solution

Also, how do i ensure that others cannot simply make requests and grab data using http://somesite.com/findwidgets/ ?

The issue you describe is the same one people refer to when asking how they can prevent people from posting to their form from another site. The only reasonable answer I have seen is to use some type of session key system wherein a key is generated for each request and each subsequent request must pass the previously generated key for validation. A request that arrives with no key or an invalid key is denied access.

i have found that i can make requests to http://somesite.com/findwidgets/ from the address bar of the browser and it will return the json data as a download.

This is because JSON is not recognized as a text mime type, and browsers will only display text mime types directly in the browser. Anything else will be offered as a download rather than displayed inline.