After an hour or two of sleuthing I’ve discovered that jQuery 1.2.6 does not set the Content-Type header for HTTP GETs even if you explicitly use the contentType parameter. My understanding of the jQuery rationale is that GETs don’t contain data and therefore a Content-Type header is not required. Unfortunately, Microsoft reckons that GETs returning JSON provide a security risk and that a Content-Type header must be specified. Scott Guthrie explains it here http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx.  

After reading documentation from both camps I can fully understand their opposing views.  Ultimately it is yet another indicator that the responsibility of user protection lies in the browser is blatantly wrong!  If the browser raised a message asking the user if they are ok with a cross domain request and acted according to the response it would render both jQuery’s and Microsoft’s approaches obsolete.

So now I am caught between a rock and a hard place.  I love jQuery and I love Microsoft ASP.NET webservices and I am going to use both in my current projects.  But, if I can not explicitly set the Content-Type header for an .ajax() GET then I have just one choice and that is to use POSTs instead.  Unfortunately this contradicts the notion of using the correct HTTP verbs and removes the possibility of a RESTful API. 

It’s always about compromise.

Advertisements