tags:

views:

13

answers:

2
+1  Q: 

Understanding Json structure generated by an AJAX-enabled WCF Service

Good afternoon

In Visual Studio 2010 I am able to add to my solution a new item called in AJAX-enabled WCF service. That will add a new a .svc file.

Later, I have created a method just for debugging purposes:

[ServiceContract(Namespace = "")]
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
public class DataAccessService
{
    [WebGet]
    [OperationContract]
    public MyClass DoWork()
    {
        var o = new MyClass
        {
            Id = 1,
            FirstName = "Junior",
            LastName = "Mayhe"
        }; 
        return o;
    }
}

When debugging here is the resulting Json string:

{"d":
    {"__type":"MyClass:#MyProject",
    "Id":1,
    "FirstName":"Junior",
    "LastName":"Mayhe"
    }
}

The question is, what is this "d"? Is it some result type code for a Json string, and if so, are there other codes?

thanks in advance

A: 

Your response is simply getting encapsulated with a parent object called "d". It was introduced in ASP.NET 3.5 web services as a security enhancement to prevent JSON hijacking.

The client proxies generated for your service will strip out the "d" so you will never really even know it was there. But since you're service isn't really going to be consumed for anything other than AJAX requests, you'll have to access your JSON objects through the ".d" property. I would recommend using JSON2 to parse the response, since not all browsers have native JSON support at the time of this writing.

You can read a little more about the security problem here.

Cory Larson  2010-10-24 19:59:37
A: 

It is only "d", and it is intended as protection against some cross-site scripting attacks.

E.g. consider a method that returns an int array of sensitive data (e.g. bank account balances). It can be returned as:

[10000,12300,15000]

Or:

{"d":[10000,12300,15000]}

The problem is that in the first case, there's a (very advanced and obscure but nevertheless real) attack whereby another site can steal this data by including a call to the service in a tag and overriding the JavaScript array constructor. The attack is not possible if the JSON looks like the latter case.

There was some talk within Microsoft to extend the format beyond just "d", but I don't think it ever went anywhere.

Eugene Osovetsky  2010-10-24 20:02:22
yes, this seems to be some sort of envelope. to get this in bare format I had to add `[BodyStyle = WebMessageBodyStyle.Bare)]` and change the web.config `<enableWebScript />` tag to `<webHttp />`
Junior Mayhé  2010-10-24 20:07:19

related questions

Entity diagrams in ASP.NET MVC
Aging Data Structure in C#
.NET 3.5 Service Pack 1 causes 404 pages on ASP.NET Web App
How do I make a custom .net client profile installer?
.NET 3.5 SP1 and aspnet_client Crystal Reports
Can I create a ListView with dynamic GroupItemCount?
N2 CMS
Conditional Linq Queries
LINQ query on a DataTable
Asynchronous Remoting calls
Using EF Entity as DTO Object
WPF: How to style or disable the default ContextMenu of a TextBox
C# 2.0 code consuming assemblies compiled with C# 3.0
Using C#/WIA version 2.0 on Vista to Scan
Has anyone run performance benchmarks comparing LINQ
Beginners Guide to LINQ
Extension interface patterns
C# 3.0 Where extension method with lambda vs LINQtoObjects to filter in memory collections.
Upgrade to ASP.NET 3.x
Where can I get the Windows Workflow "wca.exe" application?
LINQ on the .NET 2.0 Runtime
Is nAnt still supported and suitable for .net 3.5/VS2008?
How do you page a collection with LINQ?
How do I get a distinct, ordered list of names from a DataTable using Linq
How do I fill a DataSet or a DataTable from a LINQ query resultset ?