This question is locked. New answers and comments are not allowed.
Using Fiddler to inspect for some other issues I noticed that when data is sent to the MVC Grid control it includes columns that are in the model but not bound to the grid. These unbound columns do not contain their data values but still represent information leakage and effectively give away information about our schema.
Example:
-Strongly typed model has properties A,B,C,D,E,F
-Bind columns A,B,C to MVC Grid for display
-HTTP Response sends data to MVC Grid containing columns A,B,C,D,E,F where A,B,C have values and are displayed and D,E,F do not contain data values and are not displayed in the control. (but are viewable in response or in page source)
-Columns D,E,F are marked as ScaffoldColumn(false) in the model and Hidden(true), Visible(false) in the grid control but still get sent in the response.
The best, most secure behavior would be for columns that are not included in the binding to not be sent to the browser/UI. In particular observing the ScaffoldColumn(false) attribute on the model would be optimal and in such cases those columns should not be included in server responses.
Is there a way to accomplish this currently and if not can an enhancement to the controls be included in the near future?
Example:
-Strongly typed model has properties A,B,C,D,E,F
-Bind columns A,B,C to MVC Grid for display
-HTTP Response sends data to MVC Grid containing columns A,B,C,D,E,F where A,B,C have values and are displayed and D,E,F do not contain data values and are not displayed in the control. (but are viewable in response or in page source)
-Columns D,E,F are marked as ScaffoldColumn(false) in the model and Hidden(true), Visible(false) in the grid control but still get sent in the response.
The best, most secure behavior would be for columns that are not included in the binding to not be sent to the browser/UI. In particular observing the ScaffoldColumn(false) attribute on the model would be optimal and in such cases those columns should not be included in server responses.
Is there a way to accomplish this currently and if not can an enhancement to the controls be included in the near future?