ChatGPT解决这个技术问题 Extra ChatGPT

What is JSONP, and why was it created?

I understand JSON, but not JSONP. Wikipedia's document on JSON is (was) the top search result for JSONP. It says this:

JSONP or "JSON with padding" is a JSON extension wherein a prefix is specified as an input argument of the call itself.

Huh? What call? That doesn't make any sense to me. JSON is a data format. There's no call.

The 2nd search result is from some guy named Remy, who writes this about JSONP:

JSONP is script tag injection, passing the response from the server in to a user specified function.

I can sort of understand that, but it's still not making any sense.

So what is JSONP? Why was it created (what problem does it solve)? And why would I use it?

Addendum: I've just created a new page for JSONP on Wikipedia; it now has a clear and thorough description of JSONP, based on jvenema's answer.

For the record, do NOT use JSONP if you don't trust the server you're talking to 100%. If it is compromised, your webpage will be trivially compromised.
Also note that JSONP can be hijacked if not implemented correctly.
I would like to give credit to the author of JSONP who gave the philosophy behind it: Bob Ippolito's archive on JSONP. He introduces JSONP as "a new technology agnostic standard methodology for the script tag method for cross-domain data fetching".
For those who might arrive here more than a decade after the question through a search for something else and are confused: JSON-P is now also the name of a Java API for processing JSON, mainly parsing and writing it. It mirrors the XML StAX and DOM APIs, for streaming input/output and document modeling respectively. It supports JSON Pointer for querying, like XPath for XML. I think it also intends to provide the means to transform JSON through JSON Patch, like XML with XSLT and the Java XML Transformer API, but it's still a bit less advanced than XSLT. This question is about script injection.

R
Rahul Gupta

It's actually not too complicated...

Say you're on domain example.com, and you want to make a request to domain example.net. To do so, you need to cross domain boundaries, a no-no in most of browserland.

The one item that bypasses this limitation is <script> tags. When you use a script tag, the domain limitation is ignored, but under normal circumstances, you can't really do anything with the results, the script just gets evaluated.

Enter JSONP. When you make your request to a server that is JSONP enabled, you pass a special parameter that tells the server a little bit about your page. That way, the server is able to nicely wrap up its response in a way that your page can handle.

For example, say the server expects a parameter called callback to enable its JSONP capabilities. Then your request would look like:

http://www.example.net/sample.aspx?callback=mycallback

Without JSONP, this might return some basic JavaScript object, like so:

{ foo: 'bar' }

However, with JSONP, when the server receives the "callback" parameter, it wraps up the result a little differently, returning something like this:

mycallback({ foo: 'bar' });

As you can see, it will now invoke the method you specified. So, in your page, you define the callback function:

mycallback = function(data){
  alert(data.foo);
};

And now, when the script is loaded, it'll be evaluated, and your function will be executed. Voila, cross-domain requests!

It's also worth noting the one major issue with JSONP: you lose a lot of control of the request. For example, there is no "nice" way to get proper failure codes back. As a result, you end up using timers to monitor the request, etc, which is always a bit suspect. The proposition for JSONRequest is a great solution to allowing cross domain scripting, maintaining security, and allowing proper control of the request.

These days (2015), CORS is the recommended approach vs. JSONRequest. JSONP is still useful for older browser support, but given the security implications, unless you have no choice CORS is the better choice.


Please note that using JSONP has some security implications. As JSONP is really javascript, it can do everything else javascript can do, so you need to trust the provider of the JSONP data. I've written som blog post about it here: erlend.oftedal.no/blog/?blogid=97
Is there really any new security implication in JSONP that is not present in a