ansaurus

Question

Please explain JSONP

Answer 1

+1 A:

JSONP is used to carry requests via Javacript over differing domains.

Jonathan Sampson 2010-01-14 20:57:26

nice and crisp and concise, and maybe even correct (I have no way to judge), but it doesn't clarify anything or answer any of my questions. you may as well link to Remy Sharp's page.

Cheeso 2010-01-14 21:07:12

@Cheeso: fantastic comment!

Bruno Reis 2010-01-14 21:09:01

Cheeso, I recall you asking "Why would I use it?" With regards to its accuracy, the other answers here are saying the same thing, only without brevity. Is it more probable that we're all wrong?

Jonathan Sampson 2010-01-14 21:14:11

I didn't suggest that your comment was wrong. I only suggested it was not helpful.

Cheeso 2010-01-14 22:22:01

No hard feelings, Cheeso. I'm glad you got your answer :)

Jonathan Sampson 2010-01-14 23:46:36

Answer 2

+2 A:

Because you can ask the server to append a prefix to the returned JSON object. E.g

function_prefix(json_object);

in order for the browser to eval "inline" the JSON string as an expression. This trick makes it possible for the server to "inject" javascript code directly in the Client browser and this with bypassing the "same origin" restrictions.

In other words, you can have cross-domain data exchange.

Normally, XmlHttpRequest doesn't permit cross-domain data-exchange directly (need to go through server) whereas:

<script src="some_other_domain/some_data.js&prefix=function_prefix>` one can access data from a domain different than from the origin.

Also worth noting: even though the server should be considered as "trusted" before attempting that sort of "trick", the side-effects of possible change in object format etc. can be contained. If a function_prefix (i.e. a proper js function) is used to receive the JSON object, the said function can perform checks before accepting/further processing the returned data.

jldupont 2010-01-14 20:58:25

Answer 3

+30 A:

It's actually not too complicated...

Say you're on domain abc.com, and you want to make a request to domain xyz.com. To do so, you need to cross domain boundaries, a no-no in most of browserland.

The one item that bypasses this limitation is <script> tags. When you use a script tag, the domain limitation is ignored, but under normal circumstances, you can't really DO anything with the results, the script just gets evaluated.

Enter JSONP. When you make your request to a server that is JSONP enabled, you pass a special parameter that tells the server a little bit about your page. That way, the server is able to nicely wrap up its response in a way that your page can handle.

For example, say the server expects a parameter called "callback" to enable its JSONP capabilities. Then your request would look like:

http://www.xyz.com/sample.aspx?callback=mycallback

Without JSONP, this might return some basic javascript object, like so:

{ foo: 'bar' }

However, with JSONP, when the server receives the "callback" parameter, it wraps up the result a little differently, returning something like this:

mycallback({ foo: 'bar' });

As you can see, it will now invoke the method you specified. So, in your page, you define the callback function:

mycallback = function(data){
  alert(data.foo);
};

And now, when the script is loaded, it'll be evaluated, and your function will be executed. Voila, cross-domain requests!

It's also worth noting the one major issue with JSONP: you lose a lot of control of the request. For example, there is no "nice" way to get proper failure codes back. As a result, you end up using timers to monitor the request, etc, which is always a bit suspect. The proposition for JSONRequest is a great solution to allowing cross domain scripting, maintaining security, and allowing proper control of the request.

jvenema 2010-01-14 21:08:08

Ahhhh, now I get it! Thanks a million.

Cheeso 2010-01-14 21:18:38

Please note that using JSONP has some security implications. As JSONP is really javascript, it can do everything else javascript can do, so you need to trust the provider of the JSONP data. I've written som blog post about it here: http://erlend.oftedal.no/blog/?blogid=97

Erlend 2010-01-14 21:24:38

Is there really any new security implication in JSONP that is not present in a <script> tag? With a script tag the browser is implicitly trusting the server to deliver non-harmful Javascript, which the browser blindly evaluates. does JSONP change that fact? It seems it does not.

Cheeso 2010-01-14 21:45:56

Nope, it doesn't. It you trust it to deliver the javascript, same thing applies for JSONP.

jvenema 2010-01-14 21:52:44

It's worth noting that you can ramp up security a little by changing how the data is returned. If you return the script in true JSON format such as mycallback('{"foo":"bar"}') (note that the parameter is now a string), then you can parse the data manually yourself to "clean" it before evaluating.

jvenema 2010-01-15 00:04:08

@Cheeso: No it's the exact same problem. But some people fail to realize that this is a problem.@jvenema: You would still have to trust the provider of the data :-)

Erlend 2010-01-15 10:13:24

@Erlend, no disagreement - any time you're loading something cross-domain, you'll have to have at least some trust in what you're loading :)

jvenema 2010-01-17 21:54:28

Ooof...thanks for the apostrophe fixes TJ...shame on me

jvenema 2010-03-15 13:20:21

@jvenema CURL is also developed for cross domain data retrivation ( AFAIK) then what is the need of JSONP?

JustLearn 2010-09-08 04:19:14

CURL is a server-side solution, not client-side. They serve two different purposes.

jvenema 2010-09-08 13:10:09

Answer 4

A:

developer.yahoo explains jsonp crystal clearly, including a DIY example. It is worth taking a look.

Comptrol 2010-07-01 18:57:56

The link seems to be broken.

Drew Noakes 2010-08-29 16:21:11

ansaurus

tags:

views:

answers:

Please explain JSONP

related questions