ASP.NET MVC - What does IsAjaxRequest() actually mean?

Question

I had previously created a method on my base controller:

public bool IsJsonRequest()
{
    var acceptTypes = Request.AcceptTypes;
    return acceptTypes != null && 
           acceptTypes.Any(a => a.Equals("application/json",
                                         StringComparison.OrdinalIgnoreCase));
}

Then I stumbled upon AjaxRequestExtensions.IsAjaxRequest(). The documentation for it is very vague:

true if the specified HTTP request is an AJAX request; otherwise, false.

This got me thinking, what does it about an HTTP request that makes it AJAX? Is there more to it than checking the requester's accepted content types, or is encoding not a requirement of being 'AJAX'?

(Note that in my case my actions should only be called from JS pages on my site, and JSON is the only necessary encoding.)

tvanfosson · Accepted Answer · 2013-05-03T13:03:22.213

36

It checks for the X-Requested-With (HTTP_X_REQUESTED_WITH) header being set to XMLHttpRequest. This header is set by jQuery and a number of other javascript frameworks when making AJAX requests.

edited May 03 '13 at 13:03

answered Dec 24 '10 at 02:23

tvanfosson

524,688
99
697
795

Thanks. Ok, so it is just a means of knowing whether the request initiated from within a browser? – Drew Noakes Dec 24 '10 at 02:47
@Drew - I would characterize it as a convenience, not a foolproof sign that the request was initiated via AJAX. Faking the header is relatively easy. – tvanfosson Dec 24 '10 at 03:02
Agreed. Thanks again. As an aside, is this actually set by JS frameworks, or is it an unavoidable characteristic of XmlHttpRequest? For context: I would like to keep my HTTP requests small enough to fit in a single TCP packet, and in some cases removing non-essential HTTP headers achieves this. – Drew Noakes Dec 24 '10 at 03:06
@Drew - jQuery adds it to the request. I assume the same is true of other frameworks. – tvanfosson Dec 24 '10 at 03:12
jQuery, MS AJAX, and several other frameworks add it to the outgoing headers. But pay heed to what tvanfosson said - this is meant merely as a convenience. The logic has heuristics other than just checking headers, and these can be forged by malicious clients. The primary use case is for selecting some particular format for the response (or adding some additional data), which usually has no adverse effect if a malicious client tricks you into thinking that this is an AJAX request as opposed to a normal browser request. – Levi Dec 24 '10 at 19:54
This only worked for me when the header value was exactly (case-sensitive): "X-Requested-With: XMLHttpRequest". The value "XmlHttpRequest", as mentioned above, did not work. – Glenn May 03 '13 at 07:01

Dan Atkinson · Answer 2 · 2019-04-18T16:12:35.353

Specifically, the IsAjaxRequest code can be broken down to the function:

public static bool IsAjaxRequest(this HttpRequestBase request)
{
    if (request == null)
    {
        throw new ArgumentNullException("request");
    }

    return (request["X-Requested-With"] == "XMLHttpRequest") || ((request.Headers != null) && (request.Headers["X-Requested-With"] == "XMLHttpRequest"));
}

Edit - 21st January 2019

I went back to my answer and found that my link to IsAjaxRequest is now broken. I've updated it with the current link but this is the AspNetWebStack repo and as such, is not the MVC v3 version of the code. That said, at time of looking, the code is still identical to what I wrote above.

ASP.NET MVC - What does IsAjaxRequest() actually mean?

2 Answers2

Linked