views:

965

answers:

4

I don't understand jsonp.

I understand JSON. I don't understand JSONP. Wikipedia is the top search result for JSONP. It says JSONP or "JSON with padding" is a JSON extension wherein a prefix is specified as an input argument of the call itself.

Huh? What call? That doesn't make any sense to me. JSON is a data format. There's no call.

The 2nd search result is from some guy named Remy, who writes JSONP is script tag injection, passing the response from the server in to a user specified function.

I can sort of understand that, but it's still not making any sense.


What is JSONP, why was it created (what problem does it solve), and why would I use it?


Addendum: I've updated Wikipedia with a clearer and more thorough description of JSONP, based on jvenema's answer. Thanks, all.

+1  A: 

JSONP is used to carry requests via Javacript over differing domains.

Jonathan Sampson
nice and crisp and concise, and maybe even correct (I have no way to judge), but it doesn't clarify anything or answer any of my questions. you may as well link to Remy Sharp's page.
Cheeso
@Cheeso: fantastic comment!
Bruno Reis
Cheeso, I recall you asking "Why would I use it?" With regards to its accuracy, the other answers here are saying the same thing, only without brevity. Is it more probable that we're all wrong?
Jonathan Sampson
I didn't suggest that your comment was wrong. I only suggested it was not helpful.
Cheeso
No hard feelings, Cheeso. I'm glad you got your answer :)
Jonathan Sampson
+2  A: 

Because you can ask the server to append a prefix to the returned JSON object. E.g

function_prefix(json_object);

in order for the browser to eval "inline" the JSON string as an expression. This trick makes it possible for the server to "inject" javascript code directly in the Client browser and this with bypassing the "same origin" restrictions.

In other words, you can have cross-domain data exchange.


Normally, XmlHttpRequest doesn't permit cross-domain data-exchange directly (need to go through server) whereas:

<script src="some_other_domain/some_data.js&prefix=function_prefix>` one can access data from a domain different than from the origin.


Also worth noting: even though the server should be considered as "trusted" before attempting that sort of "trick", the side-effects of possible change in object format etc. can be contained. If a function_prefix (i.e. a proper js function) is used to receive the JSON object, the said function can perform checks before accepting/further processing the returned data.

jldupont
+30  A: 

It's actually not too complicated...

Say you're on domain abc.com, and you want to make a request to domain xyz.com. To do so, you need to cross domain boundaries, a no-no in most of browserland.

The one item that bypasses this limitation is <script> tags. When you use a script tag, the domain limitation is ignored, but under normal circumstances, you can't really DO anything with the results, the script just gets evaluated.

Enter JSONP. When you make your request to a server that is JSONP enabled, you pass a special parameter that tells the server a little bit about your page. That way, the server is able to nicely wrap up its response in a way that your page can handle.

For example, say the server expects a parameter called "callback" to enable its JSONP capabilities. Then your request would look like:

http://www.xyz.com/sample.aspx?callback=mycallback

Without JSONP, this might return some basic javascript object, like so:

{ foo: 'bar' }

However, with JSONP, when the server receives the "callback" parameter, it wraps up the result a little differently, returning something like this:

mycallback({ foo: 'bar' });

As you can see, it will now invoke the method you specified. So, in your page, you define the callback function:

mycallback = function(data){
  alert(data.foo);
};

And now, when the script is loaded, it'll be evaluated, and your function will be executed. Voila, cross-domain requests!

It's also worth noting the one major issue with JSONP: you lose a lot of control of the request. For example, there is no "nice" way to get proper failure codes back. As a result, you end up using timers to monitor the request, etc, which is always a bit suspect. The proposition for JSONRequest is a great solution to allowing cross domain scripting, maintaining security, and allowing proper control of the request.

jvenema
Ahhhh, now I get it! Thanks a million.
Cheeso
Please note that using JSONP has some security implications. As JSONP is really javascript, it can do everything else javascript can do, so you need to trust the provider of the JSONP data. I've written som blog post about it here: http://erlend.oftedal.no/blog/?blogid=97
Erlend
Is there really any new security implication in JSONP that is not present in a <script> tag? With a script tag the browser is implicitly trusting the server to deliver non-harmful Javascript, which the browser blindly evaluates. does JSONP change that fact? It seems it does not.
Cheeso
Nope, it doesn't. It you trust it to deliver the javascript, same thing applies for JSONP.
jvenema
It's worth noting that you can ramp up security a little by changing how the data is returned. If you return the script in true JSON format such as mycallback('{"foo":"bar"}') (note that the parameter is now a string), then you can parse the data manually yourself to "clean" it before evaluating.
jvenema
@Cheeso: No it's the exact same problem. But some people fail to realize that this is a problem.@jvenema: You would still have to trust the provider of the data :-)
Erlend
@Erlend, no disagreement - any time you're loading something cross-domain, you'll have to have at least some trust in what you're loading :)
jvenema
Ooof...thanks for the apostrophe fixes TJ...shame on me
jvenema
@jvenema CURL is also developed for cross domain data retrivation ( AFAIK) then what is the need of JSONP?
JustLearn
CURL is a server-side solution, not client-side. They serve two different purposes.
jvenema
A: 

developer.yahoo explains jsonp crystal clearly, including a DIY example. It is worth taking a look.

Comptrol
The link seems to be broken.
Drew Noakes