Security issues with winrt45 version of JSON.NET

Jul 23, 2012 at 10:14 PM

The "net40" version of JSON.NET is marked with APTCA, but the "winrt45" version is not marked with any security attributes, which makes it implicitly all SecurityCritical. This breaks a lot of code that used to call JSON.NET in .NET 4 and forces conditional security attributes for code which will conditionally compile against Desktop .NET vs. Metro-style .NET.

Was this done purposefully? Is there any plan to fix this soon?

Coordinator
Jul 23, 2012 at 11:21 PM

WinRT doesn't allow APTCA.

http://social.msdn.microsoft.com/Forums/en-US/windowsstore/thread/ebc5317d-8b15-4d3c-9230-23f35a3fca60

Jul 24, 2012 at 2:46 PM
That doesn't mean that the answer is to mark your whole assembly as "security critical", though. :) You're breaking the security model of the code written against you because now every class in JSON.NET is considered security critical. That means your callers can't be transparent.
Jul 24, 2012 at 3:48 PM
Edited Jul 24, 2012 at 4:21 PM

Looks like all you need to do is put [assembly: SecurityTransparent] on the assembly (when NETFX_CORE is defined) and it fixes the problem.

I've opened a new issue: http://json.codeplex.com/workitem/23078

Coordinator
Jul 25, 2012 at 12:38 AM

Done