JSONP

JSONP

JSONP or"JSON with padding" is a complement to the base JSON data format,a usage pattern that allows a page to request and more meaningfully use JSONfrom a server other than the primary server.

Under the sameorigin policy, a web pageserved from domain1.com cannot normally connect to or communicate with a serverother than domain1.com. An exception is HTML <script> tags.Taking advantage of the open policy for <script> tags,some pages use them to retrieve JSON from other origins.

To seehow that works, let's consider a URL that, when requested, returns a JSONstatement. In other words, a browser requesting the URL would receive somethinglike:

   {"Name": "Cheeso", "Rank": 7}

[edit]The Basic Idea: Retrieving JSON via Script Tags

It's possible to specify any URL, including aURL that returns JSON, as the src attribute for a <script> tag.

Specifyinga URL that returns plain JSON as the src-attribute for a script tag, wouldembed a data statement into a browser page. It's just data, and when evaluatedwithin the browser's javascript execution context, it has no externallydetectable effect.

One way to make that script have an effect isto use it as the argument to a function. invoke( {"Name":"Cheeso", "Rank": 7}) actually does something, ifinvoke() is a function in Javascript.

And thatis how JSONP works. With JSONP, the browser provides a JavaScript"prefix" to the server in the src URL for the script tag; byconvention, the browser provides the prefix as a named query string argument inits request to the server, e.g.,

 <script type="text/javascript"
        src="http://domain2.com/getjson?jsonp=parseResponse">
 </script>

Theserver then wraps its JSON response with this prefix, or "padding",before sending it to the browser. When the browser receives the wrappedresponse from the server it is now a script, rather than simply a datadeclaration. In this example, what is received is

   parseResponse({"Name": "Cheeso", "Rank": 7})

...which can cause a change of statewithin the browser's execution context, because it invokes a method.

[edit]The Padding

While the padding (prefix) is typically thename of a callback function that is defined within the execution context of thebrowser, it may also be a variable assignment, an if statement, or any otherJavascript statement prefix.

[edit]Script Tag Injection

But to make a JSONP call, you need a script tag.Therefore, for each new JSONP request, the browser must add a new <script> tag-- in other words, inject the tag --into the HTML DOM, with the desired value for the src attribute. This elementis then evaluated, the src URL is retrieved, and the response JSON isevaluated.

In that way, the use of JSONP can be said to allow browser pages to work around thesame origin policy via script tag injection.

[edit]Basic Security concerns

Because JSONP makes use of script tags, calls areessentially open to the world. For that reason, JSONP may be inappropriate forcarrying sensitive data.[21]

Including script tags from remote sites allows the remote sites toinject any content into a website. If theremote sites have vulnerabilities that allow JavaScript injection, the originalsite can also be affected.

[edit]Cross-site request forgery

Naïvedeployments of JSONP are subject to cross-site request forgery attacks (CSRF or XSRF).[22] Because the HTML <script> tagdoes not respect the sameorigin policy in webbrowser implementations, a malicious page can request and obtain JSON databelonging to another site. This will allow the JSON-encoded data to beevaluated in the context of the malicious page, possibly divulging passwords orother sensitive data if the user is currently logged into the other site.

This is only a problem if the JSON-encoded datacontains sensitive information that should not be disclosed to a third party,and the server depends on the browser's Same Origin Policy to block thedelivery of the data in the case of an improper request. There is no problem ifthe server determines the propriety of the request itself, only putting thedata on the wire if the request is proper.Cookies are not by themselves adequate fordetermining if a request was authorized. Exclusive use of cookies is subjectto cross-site request forgery.

[edit]History

The original proposal for JSONP appears to havebeen made by Bob Ippolito in 2005 [23] and is nowused by many Web 2.0 applicationssuch as Dojo Toolkit Applications,Google Web Toolkit Applications[24] and WebServices. Further extensions of this protocol have been proposed by consideringadditional input arguments as, for example, is the case of JSONPP[25] supportedby S3DB web services.

 

源文档 <http://en.wikipedia.org/wiki/JSON#JSONP>