I have an problem here. In jquery ajax when we define url here its been expsed to outside world
there is chance it would be missued by others how can we overcome this so that URL is encoded ? ar actionUrl = '@Url.Action("GetMovieslist", "Getjson")';
<script type="text/javascript">
//Actionname attribute used here.
$(document).ready(function () {
$("#btnGetMovies2").click(function () {
//var actionUrl = '@Url.Action("GetMovieslist", "Getjson")';
var actionUrl = '@Url.Action("GetMovieslist", "Getjson")';
$.getJSON(actionUrl, displayData2);
});
});
function displayData2(response) {
if (response != null) {
for (var i = 0; i < response.length; i++) {
$("#movieList2").append("<li>" + response[i].Title + " " + response[i].Genre + " " + response[i].Year + "</li>")
}
}
}
</script>
So is there any way we can oversome this issue
Anything that is sent across from the client can be seen by the client. In your case, if the client opens up the 'network' panel in Chrome, they can see the endpoint they're hitting.
If you don't want that, you have one foolproof option:
Don't serve that content from an AJAX call; serve it from the server.
You can always take in a token parameter with your AJAX method and log that token (and check it for abuse), but you can't outright stop an end user from hitting that endpoint.
+1 to what George said.
Additionally, if you're worried about csrf attacks,
XMLHttpRequest is subject to the browser's same-origin policy: for security reasons, requests will only succeed if they are made from the same origin.