Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Are there reasons not to use JSONP for AJA~X requests?

If you're building an AJA~Xy app, are there any downsides to using JSONP requests/responses even if you're not planning on any cross-domain requests?

The only thing I can think of is that there are a couple extra bytes for the callback wrapper...

Edit:

I found this which also suggests security and error handling as potential problems...

There's no error handling. The script injection either works, or it doesn't. If there's an error from the injection, it'll hit the page, and short of a window wide error handler (bad, bad, very bad), you need to be sure the return value is valid on the server side.

I don't think error handling is much of a problem... most of us would use a library to generate the JSON... the well-formedness of my response isn't a concern for this question.

and security:

There are documents out on the web that can help, but as a cursory check, I would check the referrer in the server side script.

it seems like this is a potential problem with any type of response... certainly, there's nothing unique to JSONP in the security arena...?

like image 465
danb Avatar asked Aug 21 '08 00:08

danb


3 Answers

Downside? It's fairly limited - you trigger a "GET" request and get back some script that's executed. You don't get error handling if your server throws an error, so you need to wrap all errors in JSON as well. You can't really cancel or retry the request. You're at the mercy of the various browser author opinions of "correct" behavior for dynamically-generated <script> tags. Debugging is somewhat more difficult.

That said, i've used it on occasion, and haven't suffered. YMMV.

like image 51
Shog9 Avatar answered Oct 17 '22 09:10

Shog9


Retrieving errors when a jsonp call fails is possible.

http://code.google.com/p/jquery-jsonp/

Hope it helps.

like image 45
Julian Aubourg Avatar answered Oct 17 '22 09:10

Julian Aubourg


I would say the biggest limitation might be the extra overhead for have the browser render a script tag to call the server. Plus is JSONP really considered AJAX since it doesn't actually use the XMLHttpRequest object?

like image 32
Nick Berardi Avatar answered Oct 17 '22 09:10

Nick Berardi