开发者

Understanding Json structure generated by an AJAX-enabled WCF Service

问答 作者:

Good afternoon

In Visual Studio 2010 I am able to add to my solution a new item called in AJAX-enabled WCF service. That will add a new a .svc file.

Later, I have created a method just for debugging purposes:

[ServiceContract(Namespace = "")]
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
public class DataAccessService
{
    [WebGet]
    [OperationContract]
    public MyClass DoWork()
    {
        var o = new MyClass
        {
            Id = 1,
            FirstName = "Junior",
            LastName = "Mayhe"
        }; 
        return o;
    }
}

When debugging here is the resulting Json string:

{"d":
    {"__type":"MyClass:#MyProject",
    "Id":1,
    "FirstName":"Junior",
    "LastName":"Mayhe"
    }
}

The question is, what is this "d"? Is it some resu开发者_JS百科lt type code for a Json string, and if so, are there other codes?

thanks in advance

It is only "d", and it is intended as protection against some cross-site scripting attacks.

E.g. consider a method that returns an int array of sensitive data (e.g. bank account balances). It can be returned as:

[10000,12300,15000]

Or:

{"d":[10000,12300,15000]}

The problem is that in the first case, there's a (very advanced and obscure but nevertheless real) attack whereby another site can steal this data by including a call to the service in a tag and overriding the JavaScript array constructor. The attack is not possible if the JSON looks like the latter case.

There was some talk within Microsoft to extend the format beyond just "d", but I don't think it ever went anywhere.

Your response is simply getting encapsulated with a parent object called "d". It was introduced in ASP.NET 3.5 web services as a security enhancement to prevent JSON hijacking.

The client proxies generated for your service will strip out the "d" so you will never really even know it was there. But since you're service isn't really going to be consumed for anything other than AJAX requests, you'll have to access your JSON objects through the ".d" property. I would recommend using JSON2 to parse the response, since not all browsers have native JSON support at the time of this writing.

You can read a little more about the security problem here.

继续阅读:.net-3.5c#-3.0jsonwcf

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9