Say your website has a GetUserweb method:

假设您的网站有一个GetUser网络方法：

http://www.example.com/User/GetUser/32

http://www.example.com/User/GetUser/32

which returns a JSON response:

它返回一个 JSON 响应：

{ "Name": "John Doe" }

If this method accepts only POST requests, then the content will only be returned to the browser if an AJAX request is made to http://www.example.com/User/GetUser/32using the POST method. Note that unless you have implemented CORS, the browser will protect the data from other domains making this request to yours.

如果此方法仅接受 POST 请求，则只有在http://www.example.com/User/GetUser/32使用 POST 方法发出 AJAX 请求时，才会将内容返回给浏览器。请注意，除非您已实施CORS，否则浏览器将保护来自向您提出此请求的其他域的数据。

However, if you allowed GET requests then as well as making an AJAX request similar to the above with GET instead of POST, a malicious user could include your JSON in the context of their own site by using a scripttag in the HTML. e.g. on www.evil.com:

但是，如果您允许 GET 请求，并且使用 GET 而不是 POST 发出类似于上述的 AJAX 请求，则恶意用户可能会通过使用scriptHTML 中的标记将您的 JSON 包含在他们自己站点的上下文中。例如www.evil.com：

<script src="http://www.example.com/User/GetUser/32"></script>

This JavaScript should be useless to www.evil.combecause there should be no way of reading the object returned by your web method. However, due to bugs in old versions of browsers (e.g. Firefox 3), it is possible for JavaScript prototype objects to be redefined and make it possible for www.evil.comto read your data returned by your method. This is known as JSON HiHymaning.

这个 JavaScript 应该没用，www.evil.com因为应该没有办法读取你的 web 方法返回的对象。但是，由于旧版本浏览器（例如 Firefox 3）中的错误，JavaScript 原型对象可能会被重新定义，从而可以www.evil.com读取您的方法返回的数据。这称为 JSON 劫持。

See this postfor some methods of preventing this. However, it is not a known problem with the later versions of modern browsers (Firefox, Chrome, IE).

有关防止这种情况的一些方法，请参阅此帖子。但是，这不是现代浏览器（Firefox、Chrome、IE）的更高版本的已知问题。

in your return use the following:

在您的退货中使用以下内容：

return this.Json("you result", JsonRequestBehavior.AllowGet);

By default, the ASP.NET MVC framework does not allow you to respond to a GET request with a JSON payload as there is a chance a malicious user can gain access to the payload through a process known as JSON HiHymaning. You do not want to return sensitive information using JSON in a GET request.

默认情况下，ASP.NET MVC 框架不允许您使用 JSON 负载响应 GET 请求，因为恶意用户有可能通过称为 JSON 劫持的过程访问负载。您不想在 GET 请求中使用 JSON 返回敏感信息。

If you need to send JSON in response to a GET, and aren't exposing sensitive data, you can explicitly allow the behavior by passing JsonRequestBehavior.AllowGetas a second parameter to the Jsonmethod.

如果您需要发送 JSON 以响应 GET，并且不公开敏感数据，您可以通过将JsonRequestBehavior.AllowGet第二个参数作为第二个参数传递给该Json方法来明确允许该行为。

Such as

如

  [HttpGet] //No need to decorate, as by default it will be GET
  public JsonResult GetMyData(){  
    var myResultDataObject = buildMyData(); // build, but keep controller thin
    // delegating buildMyData to builder/Query Builder using CQRS makes easy :)
    return Json(myResultDataObject, JsonRequestBehavior.AllowGet);
  }

Here is an interesting article from Phil Haack JSON HiHymaningabout why not to use Json with GET method

这是 Phil Haack 的一篇有趣的文章，JSON HiHymaning关于为什么不将 Json 与 GET 方法一起使用

When we want to return a json object to client from MVC application, we should explicit specify JsonRequestBehavior.AllowGet when returning an object. As a result, I return json data as below to overcome the issue:

当我们想从 MVC 应用程序返回一个 json 对象给客户端时，我们应该在返回对象时显式指定 JsonRequestBehavior.AllowGet。因此，我返回如下 json 数据以解决该问题：

    return Json(yourObjectData, JsonRequestBehavior.AllowGet);

You must be use JsonRequestBehavior.AllowGet for Json Response like this :

您必须像这样使用 JsonRequestBehavior.AllowGet 进行 Json 响应：

return Json(YourObject, JsonRequestBehavior.AllowGet);