JSONP or "JSON with padding" is a complement to the base JavaScript Object Notation JSON data format, a pattern of usage allowing a page to request data from a server in a different domain. JSONP is a solution to this problem, forming an alternative to a more recent method named Cross-Origin Resource Sharing.
Under the same origin policy, a web page served from server1.example.com cannot normally connect to or communicate with a server other than server1.example.com. An exception is the HTML <script>
element. Exploiting the open policy for <script>
elements, some pages use them to retrieve JavaScript code that operates on dynamically generated JSON-formatted data from other origins. This usage pattern is known as JSONP. Requests for JSONP retrieve not JSON, but arbitrary JavaScript code. They are evaluated by the JavaScript interpreter, not parsed by a JSON parser.
Contents |
To see how this pattern works, first consider a URL which on request returns a JSON document. A JavaScript program might request this URL via XMLHttpRequest, for example. Suppose a URL is http://server2.example.com/RetrieveUser?UserId=xxx. Suppose the UserId of Foo is 1234. A browser requesting the URL http://server2.example.com/RetrieveUser?UserId=1234, passing the UserId of Foo, might receive something like:
{"Name": "Foo", "Id" : 1234, "Rank": 7}
This JSON data could be dynamically generated, according to the query parameters passed in the URL.
Now imagine specifying a URL that returns JSON as the src attribute for a <script>
element. The issue with this is that a JavaScript script cannot start with a top-level object literal. This is a syntax error. It can start with a top-level array, but the array is not easily accessible.
In the JSONP usage pattern, the src attribute in the <script>
element returns dynamically generated JSON, with a function call wrapped around it. In this way, the returned resource is still legal JavaScript, but because the anonymous object literal is wrapped in a function call, the browser's JavaScript environment can act on the returned data. It might look like this:
functionCall({"Name": "Foo", "Id" : 1234, "Rank": 7});
The function call is the "P" of JSONP - the "padding" around the pure JSON, or according to some, the "prefix". By convention, the browser provides the name of the callback function as a named query parameter, typically using the name jsonp
or callback
, in its request to the server, e.g.,
<script type="text/javascript" src="http://server2.example.com/RetrieveUser?UserId=1234&jsonp=parseResponse"> </script>
In this example, the received payload would be:
parseResponse({"Name": "Foo", "Id" : 1234, "Rank": 7})
While the padding (prefix) is typically the name of a callback function that is defined within the execution context of the browser, it may also be a variable assignment, an if statement, or any other JavaScript statement. The response to a JSONP request (namely, a request following the JSONP usage pattern) is not JSON and is not parsed as JSON; the returned payload can be any arbitrary JavaScript expression, and it does not need to include any JSON at all. But conventionally, it is a JavaScript fragment that invokes a function call on some JSON-formatted data.
Said differently, the typical use of JSONP provides cross-domain access to an existing JSON API, by wrapping a JSON payload in a function call.
JSONP makes sense only when used with a script element. For each new JSONP request, the browser must add a new <script>
element, or reuse an existing one. The former option - adding a new script element - is done via dynamic DOM manipulation, and is known as script element injection. The <script>
element is injected into the HTML DOM, with the desired value for the "src" attribute. This element is then evaluated, the src URL is retrieved, and the response JSONP function call is evaluated.
In that way, the use of JSONP can be said to allow browser pages to work around the same origin policy via script element injection.
Including script tags from remote sites allows the remote sites to inject any content into a website. If the remote sites have vulnerabilities that allow JavaScript injection, the original site is exposed to an increased risk.
An effort is underway to define a safer strict subset definition for JSON-P[1] that browsers would be able to enforce on script requests with a specific MIME-type such as "application/json-p". If the response didn't parse as strict JSON-P, the browser could throw an error or just ignore the entire response.
Naive deployments of JSONP are subject to cross-site request forgery (CSRF or XSRF) attacks.[2] Because the HTML <script>
tag does not respect the same origin policy in web browser implementations, a malicious page can request and obtain JSON data belonging to another site. This will allow the JSON-encoded data to be evaluated in the context of the malicious page, possibly divulging passwords or other sensitive data if the user is currently logged into the other site.
This is problematic only if the JSON-encoded data contains sensitive information which should not be disclosed to a third party, and the server depends on the browser's Same Origin Policy to block the delivery of the data in the case of an improper request. There is no problem if the server determines the propriety of the request itself, only putting the data on the wire if the request is proper. Cookies are not by themselves adequate for determining if a request was authorized. Exclusive use of cookies is subject to cross-site request forgery.
In July 2005 George Jempty suggested an optional variable assignment be prepended to JSON.[3][4] The original proposal for JSONP, where the padding is a callback function, appears to have been made by Bob Ippolito in December 2005[5] and is now used by many Web 2.0 applications such as by Dojo Toolkit, Google Web Toolkit,[6] and Web services.