In short, all AJAX requests (and cross-window scripting) are subject to the Same Origin Policy. JSONP (JSON with Padding) isn't subject to the Same Origin Policy because it involves adding a script from an external domain to the DOM, the script itself contains a call to a known function that already exists on the client, with the JSON as the function call's argument.
JSONP can't return HTML or XML directly, but it could pass an object that contains a string of HTML or XML data, which in turn could be added to the DOM or parsed by the client.
For instance, a JSONP might return:
jsonp_callback({"Errors":"none","Data":"<div id='externalWidget'>Hello!</div>"});
When this script is added to the page, the function jsonp_callback
will be executed with the JSON object as its argument. That function would then add the HTML code to the page.
There are other ways of achieving what you want. For instance, if the client doesn't need to manipulate the data in any way, you could provide a widget via a HTML document that would be iframed by your client's page:
<iframe id="widget" src="http://mysite.com/widget/v1/" />
If they did need to manipulate the data, they would blocked by the Same Origin Policy as outlined above.