Friday, March 28, 2008

The mystic "d" JSON wrapper in ASP.NET 3.5

While working on my latest Ext RIA I noticed something really odd that threw the Ext deserializer to pieces. Out of no where the returned JSON was wrapped in an object named "d"! While I couldn't find anywhere I had a "d" class, it became clear that this was some odd ASP.NET behavior.

Thankfully the .NET team has released the pdb files for many of the .NET classes including System.Web.Script.Services class.

The mystery unfolds
And I quote from the source code:
// Convert the result to a JSON string
// DevDiv 88409:Change JSON wire format to prevent CSRF attack
// We wrap the returned value inside an object , and assign the returned value
// to member "d" of the object. We do so as JSOM for object will never be parsed
// as valid Javascript , unlike arrays.
=@"{""d"":" + methodData.Owner.Serializer.Serialize(retVal) + "}";

There you have it. Another security pain...