A long while ago I wrote about the potential dangers of Cross-site Request Forgery attacks, also known as CSRF or XSRF. These exploits are a form of confused deputy attack. Screen grab from The Police Academy movie.In that post, I covered how ASP.NET MVC includes a set of anti-forgery helpers to help mitigate such exploits. The helpers include an HTML helper meant to be called in the form that renders a hidden input, and an attribute applied to the controller action to protect. These helpers work great when in a typical HTML form post to an action method scenario....
In a recent blog post, I wrote a a controller inspector to demonstrate Controller and Action Descriptors. In this blog post, I apply that knowledge to build something more useful. One pain point when you write Ajax heavy applications using ASP.NET MVC is managing the URLs that Routing generates on the server. These URLs aren’t accessible from code in a static JavaScript file. There are techniques to mitigate this: Generate the URLs in the view and pass them into the JavaScript API. This approach has the drawback that it isn’t unobtrusive and requires some...
EDITOR’S NOTE: Microsoft has an amazing intern program. For a summer, these bright college students work with a feature crew getting real work done, all the while attending cool events nearly every week that, frankly, make the rest of us jealous! Just look at some of the perks listed in this news article! This summer, the ASP.NET MVC is hosting an intern, Stephen Halter, who while very smart, doesn’t have a blog of his own (booo! hiss!). Being the nice guy that I am (and also being amenable to bribes), I’m letting him guest author a post on my...
As I mentioned before, I’m really excited that we’re shipping jQuery with ASP.NET MVC and with Visual Studio moving forward. Just recently, we issued a patch that enables jQuery Intellisense to work in Visual Studio 2008. But if you’re new to jQuery, you might sit down at your desk ready to take on the web with your knew found JavaScript light saber, only to stare blankly at an empty screen asking yourself, “Is this it?” See, as exciting and cool as jQuery is, it’s really the vast array of plugins that really give jQuery its star power. Today...
UPDATE: I linked to the wrong post. I corrected the link. During the recent Insiders summit, Wally cornered me into recording a really short video demonstrating a feature of ASP.NET MVC. I decided to sprinkle a little Ajax in my demo by showing how to use jQuery to call an action that returns a JsonResult. Specifically, I show how to update a couple of regions in the page (two dom elements) with data pulled from the server. I then add a little sparkle to the demo by implementing the ubiquitous yellow fade when adding the content to the...
Simone Chiaretta, a member of the Subtext development team (among other open source projects), has been quite busy lately. I recently mentioned the Vista Sidebar Gadget for CruiseControl.NET he published. He also was recently in a video interview by MindBlog. Go Simo! The post that caught my eye recently is how to make a Gmail-like loading indicator with ASP.NET Ajax. This is a nice demonstartion of how to use the ASP.NET Ajax library to simulate various styles of user interface. Personally though, I’m not a fan of this particular loading indicator at the page level. When I have my...