Using jQuery to GET an ASP.NET webservice
After an hour or two of sleuthing I've discovered that jQuery
1.2.6 does not set the Content-Type header for HTTP GETs even if
you explicitly use the contentType parameter. My understanding of
the jQuery rationale is that GETs don't contain data and therefore
a Content-Type header is not required. Unfortunately, Microsoft
reckons that GETs returning JSON provide a security risk and that a
Content-Type header must be specified. Scott Guthrie explains it
here http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx.
After reading documentation from both camps I can fully
understand their opposing views. Ultimately it is yet another
indicator that the responsibility of user protection lies in the
browser is blatantly wrong! If the browser raised a message asking
the user if they are ok with a cross domain request and acted
according to the response it would render both jQuery's and
Microsoft's approaches obsolete.
So now I am caught between a rock and a hard place. I love
jQuery and I love Microsoft ASP.NET webservices and I am going to
use both in my current projects. But, if I can not explicitly set
the Content-Type header for an .ajax() GET then I have just one
choice and that is to use POSTs instead. Unfortunately this
contradicts the notion of using the correct HTTP verbs and removes
the possibility of a RESTful API.
It's always about compromise.