Home/ Questions/Q 5994063
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T23:45:53+00:00

I have a JSON method that accepts a GET request and returns a JSON

  • 0

I have a JSON method that accepts a GET request and returns a JSON object (not array). I’m aware of JSON Hijacking and the implications. I’ve read the Phil Haack post. The problem is that the method works 98% of the time for GET and POST. The other times I’m recording this error: 

This request has been blocked because sensitive information could be disclosed to 
third party web sites when this is used in a GET request. To allow GET requests, set
JsonRequestBehavior to AllowGet.

My method is simple and takes a single integer parameter…

[Authorize]
public ActionResult MyMediaJSON(int? id) {
    <get data & return result>
}

What conditions trigger the message? What should look for as I debug this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’ve just looked at the MVC source code and it do not add up with what you are saying in your question.

    To me it looks like JsonRequestBehavior.DenyGet is used for all JSON results per default. Hence you should get the error message each time you try to return JSON from a controller using a GET request (without specifying JsonRequestBehavior.AllowGet).

    The actual control is done in JsonResult.ExecuteResult and looks like:

    if (JsonRequestBehavior == JsonRequestBehavior.DenyGet &&
    String.Equals(context.HttpContext.Request.HttpMethod, "GET", StringComparison.OrdinalIgnoreCase)) {
    throw new InvalidOperationException(MvcResources.JsonRequest_GetNotAllowed);
}

    What conditions trigger the message? What should look for as I debug this?

    Any actions that are getting invoked through GET that returns JsonResult without specifying JsonRequestBehavior.AllowGet. (the Json method in the controller uses JsonResult)

    • 0