Friday, March 28, 2008

The mystic "d" JSON wrapper in ASP.NET 3.5

While working on my latest Ext RIA I noticed something really odd that threw the Ext deserializer to pieces. Out of no where the returned JSON was wrapped in an object named "d"! While I couldn't find anywhere I had a "d" class, it became clear that this was some odd ASP.NET behavior.

Thankfully the .NET team has released the pdb files for many of the .NET classes including System.Web.Script.Services class.

The mystery unfolds
And I quote from the source code:
// Convert the result to a JSON string
// DevDiv 88409:Change JSON wire format to prevent CSRF attack
// We wrap the returned value inside an object , and assign the returned value
// to member "d" of the object. We do so as JSOM for object will never be parsed
// as valid Javascript , unlike arrays.
=@"{""d"":" + methodData.Owner.Serializer.Serialize(retVal) + "}";

There you have it. Another security pain...

1 comment:

Yin said...

The {d} prefix is part of the expected response for the ASP.NET AJAX library. All responses to ASP.NET AJAX requests are wrapped in this "d" object to prevent a known attack which could happen if the type of the response were arrays (array object constructor hijacking).

If you change the behavior from WebEnablingScriptBehavior to WebHttpBehavior then you can remove "d" from the response and use default method name + "Result" as the root object.