4

I'm migrating old code using .net 3.5 which had some asmx webservices which returned json data. These services returned the json wrapped on a "d" property which was introduced on .net 3.5 for security purposes.

When moving these webservices to mvc controller actions, there is no d property which concerns me as the "d" property was a security fix introduced for a reason.

Should I wrap the Json result on a d property myself or am I doing something wrong?

    public JsonResult GetJsonData()
    {
        return Json(2);
    }

this outputs:

2

instead of:

{ "d": "2" }
Pete
  • 73
  • 5
  • @I4V plenty on this site, for example http://stackoverflow.com/questions/830112/what-does-d-in-json-mean – flup May 05 '13 at 19:35
  • read about the d property here: http://encosia.com/never-worry-about-asp-net-ajaxs-d-again/ and http://haacked.com/archive/2009/06/25/json-hijacking.aspx – Pete May 05 '13 at 19:37
  • You can achieve that with `return Json(new { d = 2 });` Take a look at this answer: http://stackoverflow.com/a/10608250/858757 – Silvermind May 05 '13 at 19:39
  • 1
    I understand how to "get around it", my question is more about, why is the d not there if it was introduced on .net 3.5 as an importatn security fix and apparently seems to have been removed or I'm not doing it well. I could create a helper method that puts that d in there to all my json results but I'm looking to understand whats going on before changing all my calls to Json() to this helper method. – Pete May 05 '13 at 19:48
  • 1
    The explanation is in your second link isn't it? Which also tells you how to mitigate against it. `With ASP.NET MVC (and other similar frameworks), a significant number of developers are not using client generated proxies (we don’t have them) but instead using jQuery and other such libraries to call into these methods, making the “d” fix kind of awkward.`. Which is presumably why it doesn't do it. – Martin Smith May 05 '13 at 20:03
  • Thanks Martin, I understand that but isnt MVC then less secure for having removed this from their serializer? – Pete May 06 '13 at 12:57
  • @Pete - In general MVC does less for you automatically than web forms. [This extract from the book Professional ASP.NET MVC 4 puts it well.](http://i.stack.imgur.com/XqL16.png) – Martin Smith May 07 '13 at 07:14

2 Answers2

3

Try this

public JsonResult GetJsonData()
{
    return Json(new {d = 2}, JsonRequestBehavior.AllowGet);
}
Matthew Lock
  • 13,144
  • 12
  • 92
  • 130
Satpal
  • 132,252
  • 13
  • 159
  • 168
2

You do everything right.

I'm not one of the MVC developers' team, but I think it was decided not to introduce d-wrapper in favor of compatibility with the rest world.

However, they made a step towards securing json responses. By default, you cannot return Json in response to GET request, so you'll have to put extra condition in your code :

public JsonResult GetJsonData()
{
    return Json(2, JsonRequestBehavior.AllowGet);
}

If you want to serve Json array with sensitive data back to GET request, then yes, you'll have to wrap your array manually.

Dima
  • 6,721
  • 4
  • 24
  • 43