Regarding "UnobtrusiveJavaScriptEnabled", what is the default value in MVC 4? - asp.net-mvc

<appSettings>
<add key="UnobtrusiveJavaScriptEnabled" value="true"/>
</appSettings>
Currently, we have UnobtrusiveJavaScriptEnabled set to true in the appSettings
(This can be also be defined in global.asax)
We are looking at cleaning up the appSettings and removing configuration that we do not need to explicitly define (Especially framework stuff), but not sure what it defaults to.

The default value is true, so unobtrusive javascript is enabled by default. You can remove the setting if you wish. And by the way it is the same in ASP.NET MVC 3.

Related

Suppressing anti-forgery X-Frame options header in the global.asax weakens security despite setting X-Frame options in Web.config?

Our MVC5 application contains a partial view that renders a Html.AntiForgeryToken on all pages using the Master.cshtml.
On pages where we render another form, and another Html.AntiForgeryToken, on form submission an exception is thrown:
Server cannot append header after HTTP headers have been sent.
To avoid the exception, within the Global.asax App_Start we can specify:
AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
Our concern here is we're enabling others to embed our website as an iFrame, and enabling 'ClickJacking'?
The above mentioned occurs regardless of us also using Umbraco 7.6.1 which requires we specify within our Web.config:
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
Is there an alternative to this contradictive configuration? Are we weakening security?
By suppressing the X-Frame-Options header from Html.AntiForgeryToken, you potentially weaken security by assuming responsibility for applying the X-Frame-Options header.
In your case security is not weakened because you are using the Web.config to apply an X-Frame-Options header with the same value that Html.AntiForgeryToken would apply. Your security is actually stronger than what Html.AntiForgeryToken provides because the X-Frame-Options header will be applied to all responses which includes forms where you neglected to or can't use Html.AntiForgeryToken.

What is the effect of omitting "webpages:Enabled" in web.config?

I've seen the question "what is the function of webpages:Enabled in MVC 3 web.config" but the answer merely explains that setting it to "false" disables use of CSHTML pages (although the is no link to the documentation).
I have a project which fails to build unless the line <add key="webpages:Enabled" value="true"> is removed from the web.config file.
Can someone (provide a link to) tell me what the effect of omitting it is? Is the default to allow or deny CSHTML pages?
Thanks
Default value is null which is interpreted as 'true' that would enable *.cshtml pages to be accessible directly.
You may refer to the code base here for reference:
https://aspnetwebstack.codeplex.com/SourceControl/latest#src/System.Web.WebPages.Deployment/WebPagesDeployment.cs

Why HtmlHelper would skip validation attributes

Why #Html.TextBoxFor and other helpers would skip jquery.validation attributes and create elements without those? Am I missing some references or something? It's MVC 3.0 project.
If I add them manually like that:
#Html.TextBoxFor(x => x.Name,
new { data_val="true", data_val_required="Need that field" })
then unobtrusive validation works. But it's suppose build elements and put those attributes based on Model's DataAnnotations. Model is there, textbox inside of a form body, and still doesn't work. What could it be?
upd: UnobtrusiveJavaScriptEnabled set to true in web.config
Please ensure these two lines in your web.config file
<appSettings>
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
</appSettings>
For unobtrusive validation to work you need to ensure that UnobtrusiveJavaScriptEnabled is set to true in your Web.config and that you have included these 3 scripts:
jQuery (~/Scripts/jquery-1.8.2.js)
jQuery Validate (~/Scripts/jquery.validate.js)
the MVC plugin for unobtrusive client validation with jQuery Validate (~/Scripts/jquery.validate.unobtrusive.js).
1.if the text box is loading via ajax, it's may not be parsed for Unobtrusive validation.
2.check rendered html if there is a data-val-required attribute for the text box to determine if it's a server side or client side problem.

MVC Route to Action for Javascript file

I am trying to add a mvc route to generate a javascript from the controller. I have added the following route and it doesn't work:
routes.MapRouteWithName(
"DataSourceJS", // Route name
"Scripts/Entities/{controller}/datasource.js", // URL with parameters
new { controller = "Home", action = "DataSourceJS"} // Parameter defaults,
, null
);
But if I change the route to not have the ".js" and I navigate to "Scripts/Entities/{controller}/datasource" it works. But I need to have the .js file extension on there, how do I make this work?
how do I make this work?
IIS intercepts the request because it contains a file extension and hijacks it thinking it is a static file and not passing it to your application.
To make it work you should tell IIS not to do that. Inside the <system.webServer> section you could add the following handler to indicate that requests with the specified pattern should be handled by the managed pipeline:
<system.webServer>
<handlers>
...
<add name="ScriptsHandler" path="Scripts/Entities/*/datasource.js" verb="GET" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
Some people might also tell you to use:
<modules runAllManagedModulesForAllRequests="true" />
but I wouldn't recommend you doing that because this means that all requests to static resources will now be flowing through the managed pipeline which could have a negative performance overhead for your application. The handler syntax allows you to selectively enable this only for certain route patterns and HTTP verbs.

Multiple AppSettings.config files in a hierarchy

I have a question that has struck me a couple of times when creating ASP.Net MVC applications: Say you have one application that you want to deploy to multiple customers. The application code is identical, but you want to be able to have one appSettings.config file for each customer, so that you are able to deploy to different customers by just changing the configSource of the appSettings tag in web.config ( a bit simplified, but still).
Then you realize that 50% of the content in appSettings.config is common for all customers, and only 50% is customer dependent. What you may end up doing is having duplicated entries in all the appSettings files, which is a major pitfall as you then need to remember to update all of them if you want to do an application-wide change to the config.
In a case like this I would really like to have some sort of hierarchical system where you are able to have a "base config" and a "customer config" in separate files. Then I would like the ConfigurationManager to first check for a value in the customer config, and if it is not defined there it will go to the base config instead.
I haven't found a straight-forward way of solving this with the out-of-the-box functionality in ASP.Net MVC4. Does it exits, or do I need to work my way around the default ConfigurationManager class somehow? I could potentially create my own class and replace all calls to ConfigurationManager.AppSettings[key] with a call to my own implementation, but I'd rather avoid that if I could. I want to be able to take use of some of the basic functionality that the built-in ConfigurationManager takes care of, like caching, etc.
Anyone who has solved a similar problem like this before? I keep thinking that it seems like a common scenario..
It is a common scenario, and there are different ways to solve it. One way would be to use config transforms. You could have a Web.Customer1.config, Web.Customer2.config, etc, just like you have Web.Debug.config and Web.Release.config. In the customer-specific transform files, you could "override" only the appSettings that your customer wants to customize.
To create the different transforms, first create different project platforms. Go to the Visual Studio Configuration Manager, and in the Configuration column for your web project (or any project that needs customized configuration settings), click the dropdown and then click <New...>. Name the New Project Configuration Customer1 or whatever you want, check the box for Copy settings from, and pick Release from that dropdown. Also check the Create new solution configurations checkbox.
Finally, right click your web.config file and click Add config transform. This will generate a template Web.Customer1.config file for you. Edit it to override the appSettings it needs to, using the xdt: config transform attributes. Then you can publish the project using the Customer1 solution build configuration. As part of the build, the web.config will be transformed and you will end up with a different web.config file for each customer. You can also use this to customize projects for different deployments, i.e. changing db connection strings, smtp servers, literally anything in the XML configuration file.
As a last thought, make sure you right click each Web.Xyx.config file, choose properties, and set its Build Action to None.
Example:
base web.config
<appSettings>
<add key="CommonProperty1" value="[for all customers]" />
<add key="CommonProperty2" value="[for all customers]" />
<add key="CommonProperty3" value="[for all customers]" />
<add key="CustomProperty1" value="[for one customer]" />
<add key="CustomProperty2" value="[for one customer]" />
<add key="CustomProperty3" value="[for one customer]" />
<appSettings>
web.Customer1.config
<appSettings>
<add key="CustomProperty1" value="The Ohio State University" xdt:Transform="SetAttributes" xdt:Locator="Match(key)" />
<add key="CustomProperty2" value="Scarlet" xdt:Transform="SetAttributes" xdt:Locator="Match(key)" />
<add key="CustomProperty3" value="Gray" xdt:Transform="SetAttributes" xdt:Locator="Match(key)" />
<appSettings>
web.Customer2.config
<appSettings>
<add key="CustomProperty1" value="Michigan University" xdt:Transform="SetAttributes" xdt:Locator="Match(key)" />
<add key="CustomProperty2" value="Blue" xdt:Transform="SetAttributes" xdt:Locator="Match(key)" />
<add key="CustomProperty3" value="Maize" xdt:Transform="SetAttributes" xdt:Locator="Match(key)" />
<appSettings>

Resources