I developed an application in ASP.NET MVC. This app has an action that returns a Json开发者_开发技巧Result and I get it with jquery in client side. Everything works fine but I'd like to know, if is there any way to make a security in this action to return only requests that came from my website.
Is there any way to avoid others websites to request this action? Or avoid javascript in address bar (script injection) ?
Thanks
Short answer: No
Long answer: The only way to know that a request is legitimate is to interpret what's coming with the request. There's no magic in the http protocol. Probably, the most reliable way is to check the referrer and ensure that it's your site. But it's not hard to fool that check..
I have not tried this yet but have been thinking about how I might achieve this as well. My current thoughts are to add a custom attribute to the action that checks a token appended to the cal by the requesting application.
The token would be generated by the calling application based on a seed key that was provided to the requester upon applying to use the API. The custom attribute would authenticate the key before the action ran either allowing or denying the call.
As I said not fully formed yet but was thinking along these lines ... good luck and if you come up with something make sure you post back.
For other sites:
- You can check the referrer, but that can be spoofed.
- You can check to see if you have an active session with the user.
For the address bar:
- There is nothing you can really do about that.
Others Websites can't make requests to your action using ajax because HTTP doesn't allow it, but it can still get called from the address bar, other program or anything.
If you whant to allow calls to your action only from specific parts of your website you can use the the html helper AntiForgeryToken and the attribute [ValidateAntiForgeryToken], you can check a tutorial about this over here: http://haacked.com/archive/2009/04/02/anatomy-of-csrf-attack.aspx. It's pretty much the idea abarr posted.
精彩评论