knockout asp.net mvc viewmodel json in page source

Question

Before I start, I want to make it clear that my code is working properly, and this is more of a "general best practice" question. I'm using knockout.js to load in my ASP.NET MVC2 model into knockout's viewModel.

In my aspx page I have:

<script>
var model = <%= new JavaScriptSerializer().serialize(Model) %>; 
// the above line will display in my page's "View Source". Is this bad? slow? 
</script>

Then in my JavaScript include file at the top I have:

$(document).ready(function() {
    var viewModel = new MyViewModel();
    ko.applyBindings(viewModel);

    viewModel.modelProp(model);
});

The code totally works fine, but the concern I have with this is that the JSON output is viewable in the "View Source" option from the browser in the HTML output. I'm curious about two things:

1. Does this also happen in ASP.NET MVC3? I'm using ASP.NET MVC2, hence I can't use @Html.Raw(Json.Encode(Model)); -- But does the MVC3 method result in the same issue?

2. Is this something I should be concerned about? Is it a security issue? Is it a performance issue? The page's source will be larger because I'm outputting the JSON into a JavaScript variable, no? Again, maybe it's not an issue in MVC3?

Answer 1

If I hear you correctly, you want to now if you should be concerned that people can see your json. I would not be concerned about that. In fact, not only can they see the json by viewing source, but they can also see it via a network sniffer like fiddler, httpwatch, or browser developer tools (F12). I'm not sure why you care if the json is visible because once it gets data bound to the UI, it will be there too.

As a side note, by loading your KO viewmodel from MVC, that means your viewmodel will only refresh its model data when you post. If you load it via an ajax call (to perhaps an MVC action since you use asp.net mvc) you could avoid that page refresh. Just another option.