Security issues with winrt45 version of JSON.NET

Jul 23, 2012 at 10:14 PM

The "net40" version of JSON.NET is marked with APTCA, but the "winrt45" version is not marked with any security attributes, which makes it implicitly all SecurityCritical. This breaks a lot of code that used to call JSON.NET in .NET 4 and forces conditional security attributes for code which will conditionally compile against Desktop .NET vs. Metro-style .NET.

Was this done purposefully? Is there any plan to fix this soon?

Jul 23, 2012 at 11:21 PM

WinRT doesn't allow APTCA.

Jul 24, 2012 at 2:46 PM
That doesn't mean that the answer is to mark your whole assembly as "security critical", though. :) You're breaking the security model of the code written against you because now every class in JSON.NET is considered security critical. That means your callers can't be transparent.
Jul 24, 2012 at 3:48 PM
Edited Jul 24, 2012 at 4:21 PM

Looks like all you need to do is put [assembly: SecurityTransparent] on the assembly (when NETFX_CORE is defined) and it fixes the problem.

I've opened a new issue:

Jul 25, 2012 at 12:38 AM