0

I'm reading about this ajax response that describes ways to prevent Javascript based exploits.

  1. Does it make sense to apply this technique to WCF-based services that return JSON?

  2. How would this be implemented server side?

  3. How would the client consume it?

Community
  • 1
  • 1
makerofthings7
  • 60,103
  • 53
  • 215
  • 448

1 Answers1

1

There's one way WebScriptEnablingBehavior -- the behavior of choice if you want a WCF service that works with ASP .NET AJAX -- deals with this. By default, its response mode is "WrappedResponse". If you watch this in action using Fiddler, it means that every response from the service -- even a simple number -- will wrapped in {d:} wrapper as follows:

 { "d" : return-value }

On the other hand, WebHttpBehavior is XML out-of-the-box, but if you switch it to JSON, you can choose between WrappedResponse and BareResponse. WrappedResponse is similar to WebScriptEnablingBehavior (if I remember correctly), but BareResponse would be unsecure JSON transmitted back as a direct return value.

krisragh MSFT
  • 1,908
  • 1
  • 13
  • 22
  • Great find - Thanks! I've been looking for this for a while. Do you know the preferred way to consume this data? Is it with a MSFT library or function... json... etc. – makerofthings7 Apr 16 '11 at 04:16
  • The preferred way to consume JSON produced with WebScriptEnablingBehavior is an ASP .NET AJAX webpage. The preferred way to consume WebHttpBehavior is your favorite scripting language. – krisragh MSFT Apr 16 '11 at 04:32