Last post Apr 27, 2015 03:56 PM by atconway
Apr 22, 2015 08:16 AM|Syed.Wasti|LINK
I have a .net application that needs to call an other external web app. This external web app is also a ASP.NET MVC app that returns one fully functional view. This means it returns a view that has a few textboxes and radio buttons and a submit button.
When I call this webapp from the first webapp, it shows he view inside it and so on. I am not sure how do I submit the form to the external web app. Because isn't it that it will check for cross site scripting and deny the request? How to overcome that?
Apr 26, 2015 07:57 AM|Ruchira|LINK
I am not sure how do I submit the form to the external web app. Because isn't it that it will check for cross site scripting and deny the request? How to overcome that?
Unless you've specifically implemented AntiForgeryToken, AFAIK, an MVC app wouldn't check for Cross-Site Request Forgery. Cross Site Scripting (a.k.a. XSS) is different. It
happens between the browser and client. What you have to worry about in this case is CSRF. You can read more from the below link
Please 'Mark as Answer' if this post helps you
Apr 27, 2015 03:56 PM|atconway|LINK
Since this is an 'Architecture' forum I would advise against your provided approach. Coupling (2) MVC apps and relying on the Views being returned is not a great idea IMO. What you should consider is using something like WebAPI and a RESTful service to serve
up the same required data for 1...n applications, but yet still have each app be responsible for its own Views. In this manner you can use more standard methods of security when interacting with the RESTful service and not have to tend to the niche
security scenarios you questioned about earlier.
I realize what I suggest is not a 'quick fix,' but you should consider an alternate approach if what you truly need is more than 1 application requiring the same underlying data. What happens if app #2 decided to all the sudden use AngularJS for its front
end and not MVC? By sharing Views you are coupled to a technology implementation. If you serve up the underlying data in a RESTful manner returning JSON/XML you don't have to be concerned at all with the consuming parties technology.