views:

13

answers:

2

Good afternoon

In Visual Studio 2010 I am able to add to my solution a new item called in AJAX-enabled WCF service. That will add a new a .svc file.

Later, I have created a method just for debugging purposes:

[ServiceContract(Namespace = "")]
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
public class DataAccessService
{
    [WebGet]
    [OperationContract]
    public MyClass DoWork()
    {
        var o = new MyClass
        {
            Id = 1,
            FirstName = "Junior",
            LastName = "Mayhe"
        }; 
        return o;
    }
}

When debugging here is the resulting Json string:

{"d":
    {"__type":"MyClass:#MyProject",
    "Id":1,
    "FirstName":"Junior",
    "LastName":"Mayhe"
    }
}

The question is, what is this "d"? Is it some result type code for a Json string, and if so, are there other codes?

thanks in advance

A: 

Your response is simply getting encapsulated with a parent object called "d". It was introduced in ASP.NET 3.5 web services as a security enhancement to prevent JSON hijacking.

The client proxies generated for your service will strip out the "d" so you will never really even know it was there. But since you're service isn't really going to be consumed for anything other than AJAX requests, you'll have to access your JSON objects through the ".d" property. I would recommend using JSON2 to parse the response, since not all browsers have native JSON support at the time of this writing.

You can read a little more about the security problem here.

Cory Larson
A: 

It is only "d", and it is intended as protection against some cross-site scripting attacks.

E.g. consider a method that returns an int array of sensitive data (e.g. bank account balances). It can be returned as:

[10000,12300,15000]

Or:

{"d":[10000,12300,15000]}

The problem is that in the first case, there's a (very advanced and obscure but nevertheless real) attack whereby another site can steal this data by including a call to the service in a tag and overriding the JavaScript array constructor. The attack is not possible if the JSON looks like the latter case.

There was some talk within Microsoft to extend the format beyond just "d", but I don't think it ever went anywhere.

Eugene Osovetsky
yes, this seems to be some sort of envelope. to get this in bare format I had to add `[BodyStyle = WebMessageBodyStyle.Bare)]` and change the web.config `<enableWebScript />` tag to `<webHttp />`
Junior Mayhé