This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow G

4 posts, 1 answers
  1. GarfieldTech
    GarfieldTech avatar
    11 posts
    Member since:
    Jun 2015

    Posted 22 Apr 2019 Link to this post

    CostCenterController:

    public ActionResult CostCenters_Read([DataSourceRequest] DataSourceRequest request)         {             return Json(ccService.Read().ToDataSourceResult(request));         }         [AcceptVerbs(HttpVerbs.Post)]         

    public ActionResult CostCenters_Create([DataSourceRequest] DataSourceRequest request, CostCenterViewModel cc)         {             if (cc != null && ModelState.IsValid)             {                 ccService.Create(cc);             }             //return Json(cc, JsonRequestBehavior.AllowGet);             return Json(new[] { cc }.ToDataSourceResult(request, ModelState));         }         [AcceptVerbs(HttpVerbs.Post)]         

    public ActionResult CostCenters_Update([DataSourceRequest] DataSourceRequest request, CostCenterViewModel cc)         {             if (cc != null && ModelState.IsValid)             {                 ccService.Update(cc);             }             return Json(new[] { cc }.ToDataSourceResult(request, ModelState));         }

     

    Index.cshtml:

    @(Html.Kendo().Grid<Main.Models.Quality.CostCenterViewModel>()                            

                                       .Name("CostCenter")                            

                                       .Columns(columns =>                            

                                        {columns.Bound(c => c.CostCenterID);                                

                                         columns.Bound(c => c.CC).Width(140);                                

                                         columns.Bound(c => c.Rate).Width(140);                                

                                         columns.Bound(c => c.Date).Width(100);                                

                                         columns.Command(command => command.Destroy()).Width(110);                            

                                         })                            

                                        .ToolBar(toolbar => toolbar.Create())                             

                                        .Editable(editable => editable.Mode(GridEditMode.PopUp))                            

                                        .Pageable()                            

                                        .Sortable()                            

                                         .Scrollable()                            

                                         .HtmlAttributes(new { style = "height:550px;" })                            

                                         .DataSource(dataSource => dataSource                            

                                         .Ajax()                            

                                         .PageSize(20)                            

                                         .Events(events => events.Error("error_handler"))                            

                                         .Model(model => model.Id(c => c.CostCenterID))                            .Create(update => update.Action("CostCenters_Create", "CostCenter"))                            .Read(read => read.Action("CostCenters_Read", "CostCenter"))                            .Update(update => update.Action("CostCenters_Update", "CostCenter"))                            .Destroy(update => update.Action("CostCenters_Destroy", "CostCenter"))                            

                                ))               

                                <script type="text/javascript">                    

                                       function error_handler(e) {                       

                                               if (e.errors) {                            

                                               var message = "Errors:\n";                            

                                          $.each(e.errors, function (key, value) {                                

                                               if ('errors' in value) {                                    

                                          $.each(value.errors, function () {                                     

                                           message += this + "\n";                                   

                                           });                                

                                         }                            

                                      });                            

                                     alert(message);  }                    

                                       }                

                                      </script>

    I set CostCenterServer, the code is similar as ProductService.

    It show up as normal, but when I Click "New Record", It popped up error with "This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow GET requests, set JsonRequestBehavior to AllowGet."

     

    In Controller, i tried to replace return Json(cc, JsonRequestBehavior.AllowGet); with return Json(new[] { cc }.ToDataSourceResult(request, ModelState)); but no lucky??

  2. Answer
    Georgi
    Admin
    Georgi avatar
    685 posts

    Posted 24 Apr 2019 Link to this post

    Hi,

    By default, the ASP.NET MVC framework does not allow you to respond to a GET request with a JSON payload as there is a chance a malicious user can gain access to the payload through a process known as JSON Hijacking.

    To avoid this behavior configure your response as follows:

    return Json(ccService.Read().ToDataSourceResult(request), JsonRequestBehavior.AllowGet);

    Another solution would be to use POST for read requests.


    Regards,
    Georgi
    Progress Telerik
    Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
  3. GarfieldTech
    GarfieldTech avatar
    11 posts
    Member since:
    Jun 2015

    Posted 22 Jun 2019 in reply to Georgi Link to this post

    Thank you Georgi... 

    This resolved...  The Grid table not pick up but blank...  When clicked "New Record" it query list? 

    Will figure out why...

  4. Georgi
    Admin
    Georgi avatar
    685 posts

    Posted 25 Jun 2019 Link to this post

    Hello David,

    Do you mean that the grid is not binding correctly? I am not sure that I fully understand by `When clicked "New Record" it query list?`. Are you asking whether the grid requests data when the `New Record` is pressed? If that is the case, no, the grid will simply add an empty record to the dataSource and request the server after the user presses the update button. 

    Please let me know if this answers your questions.


    Regards,
    Georgi
    Progress Telerik
    Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
Back to Top