Menu
I am having trouble understanding the details of how a jsonp request works. I have read several sources including the wiki on jsonp and am still very confused on how the callback actually gets a hold of the function returned from the server when a jsonp call is made. For example, in the wiki, the source of the request is set as:
src="http://server2.example.com/RetrieveUser?UserId=1234&jsonp=parseResponse" What exactly does jsonp = parseResponse actually do/mean?? Then they go on to say that the payload is:
parseResponse({"Name": "Foo", "Id" : 1234, "Rank": 7}); How does this work? I am confused on the whole callback functionality. The function name parseResponse is passed to the server and somehow the data returned becomes parameters to this function? Can someone please clearly explain exactly how data is retrieved/used from a jsonp request?
896
Standard JSON Asynchronous requestThe browser makes an asynchronous POST request to the server slapping its parameters to the service in the body. The server responds with a string of JSON data. A success handler of the request fires and the string is converted into a Javascript Object to be used in the application.
JSONP stands for JSON with Padding. Requesting a file from another domain can cause problems, due to cross-domain policy. Requesting an external script from another domain does not have this problem. JSONP uses this advantage, and request files using the script tag instead of the XMLHttpRequest object.
JSONP has some other limitations, too: It can only be used for GET requests, and there's no general way to prevent cross-site request forgeries*. It's bad for private data, since any site on the web could hijack a JSONP response if the URL is known.
JSON with Padding — JSONP for short — is a technique that allows developers to bypass the same-origin policy enforced by browsers by using the <script> element's nature. The policy disallows reading any responses sent by websites whose origins are different from the one currently used.
The callback is a function YOU'VE defined in your own code. The jsonp server will wrap its response with a function call named the same as your specified callback function.
What happens it this:
1) Your code creates the JSONP request, which results in a new <script> block that looks like this:
<script src="http://server2.example.com/RetrieveUser?UserId=1234&jsonp=parseResponse"></script> 2) That new script tag is executed by your browser, resulting in a request to the JSONP server. It responds with
parseResponse({"Name": "Foo", "Id" : 1234, "Rank": 7}); 3) Since this request came from a script tag, it's pretty much EXACTLY the same as if you'd literally placed
<script> parseResponse({"Name": "Foo", "Id" : 1234, "Rank": 7}); </script> into your page.
4) Now that this new script has been loaded from the remote server, it will now be executed, and the only thing it will do is a function call, parseResponse(), passing in the JSON data as the function call's only parameter.
So somewhere else in your code, you'd have:
function parseResponse(data) { alert(data.Name); // outputs 'Foo' } Basically, JSONP is a way of bypassing the browser's same-origin script security policy, by having a 3rd party server inject a function call directly into your page. Note that this is by design highly insecure. You're depending that the remote service is honorable and doesn't have malicious intent. Nothing stops a bad service from returning some JS code that steals your banking/facebook/whatever credentials. e.g.... the JSONP response could've been
internalUseOnlyFunction('deleteHarddrive'); rather than parseReponse(...). If the remote site knows the structure of your code, it can perform arbitrary operations with that code, because you've opened your front door wide-open to allow that site to do anything it wants.
197
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
