Menu
I've read http://www.json-p.org/ which states a safer and stricter subset of JSON-P.
The most critical piece of this proposal is that browser vendors must begin to enforce this rule for script tags that are receiving JSON-P content, and throw errors (or at least stop processing) on any non-conforming JSON-P content.
My question is Is that subset of JSON-P already implementable?
971
JSONP stands for JSON with Padding. Requesting a file from another domain can cause problems, due to cross-domain policy. Requesting an external script from another domain does not have this problem. JSONP uses this advantage, and request files using the script tag instead of the XMLHttpRequest object.
What is JSONP? The XMLHttpRequest(XHR) can be used to get the data from the server. Once the data is received in the browser it can use the JSON. parse() method to convert the received JSON string into JavaScript object.
JSONP, or JSON-P (JSON with Padding), is a historical JavaScript technique for requesting data by loading a <script> element, which is an element intended to load ordinary JavaScript.
It's idea is to simply return a JavaScript file which calls the callback function with the JSON object as the first parameter of the JavaScript callback function. You can use the built-in json_encode() function to create JSON strings (which $data in our example above contains) from arrays and objects in PHP.
No, there is no current way to implement/enforce what is proposed, as changes to how browsers process the script tag are required. If you really wanted to implement the proposal, you could build a proxy service on your server which does the JSONP verification for you.
The only real problem this proposal is trying to solve is to make JSONP requests more secure for consumers of JSONP enabled services. However, I honestly think this security problem is a non-issue.
As long as web service consumers are using trusted JSONP services, there is no JSONP specific security threat. If you think the service you are consuming might be untrustworthy, simply don't use it. You can find an alternative service or proxy the untrustworthy service through your own server to clean/verify the response.
The same vulnerabilities which exist for JSONP also exist for ordinary script tags. People link to third party JavaScript libraries all the time with few issues. As an example, people everywhere use Google's copy of jQuery. Google could easily poison this file and fish user data from any webpage which uses this library.
The moral of the story: Only use APIs/services you trust
195
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
