ASP.NET MVC 3 Beta 1 Block Access to Razor views

Question

Is there a way to block access (404) to the Razor views in MVC 3 beta 1? When I create a brand new blank site (IIS7) and then access /views/home/index.cshtml from the browser, instead of the 404 I get this

    [InvalidCastException: Unable to cast object of type 'ASP.Index_cshtml' to type 'System.Web.IHttpHandler'.]
   System.Web.WebPages.WebPageHttpHandler.CreateFromVirtualPath(String virtualPath, VirtualPathFactoryManager virtualPathFactoryManager) +56
   System.Web.WebPages.WebPageRoute.DoPostResolveRequestCache(HttpContextBase context) +253
   System.Web.WebPages.WebPageHttpModule.OnApplicationPostResolveRequestCache(Object sender, EventArgs e) +89
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +148
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

By default the web.config file in the views folder is set to block all file requests, but obviously this request is still getting through.

Steps to reproduce:
File -> New Project
ASP.NET MVC 3 Web Application
Internet Application (Razor)
F5
Navigate to /views/home/index.cshtml

Answer 1

I'm a dev lead on the ASP.NET team working on both ASP.NET MVC 3 and ASP.NET Web Pages and Razor.

This is not entirely fixed in ASP.NET MVC 3 RC, but it will be fully fixed in ASP.NET MVC 3 RTM.

There is nothing "terribly bad" that happens in ASP.NET MVC 3 RC or earlier: The worst that can happen is that someone can detect whether a view exists in your app - but they cannot get it to run (due to that weird exception). This is a slight security issue in that it is a form of information disclosure, but it is not a very severe issue.

In ASP.NET MVC 3 RTM all Razor views in ~/Views/... as well as any Razor views within an MVC Area are 100% blocked and will not be directly runnable by the browser. They will only be runnable as MVC view pages.