JSONP

JSONP (JSON with Padding or JSON-P ) is a javascript pattern to request data by loading a tag.wikipedia
26 Related Articles

JSON

JavaScript Object Notation (JSON)JSON-likedictionary
JSONP (JSON with Padding or JSON-P ) is a javascript pattern to request data by loading a tag.
This subtlety is important when generating JSONP.

XMLHttpRequest

XHRXMLHTTPXHR2
The policy disallows running JavaScript to read media DOM elements or XHR data fetched from outside the page's origin.
Various alternatives exist to circumvent this security feature, including using JSONP, Cross-Origin Resource Sharing (CORS) or alternatives with plugins such as Flash or Silverlight.

Cross-origin resource sharing

CORS
Services replying with pure JSON data were not able to share the data across domain before the adoption of CORS (Cross-origin resource sharing).
CORS can be used as a modern alternative to the JSONP pattern.

Same-origin policy

same origin policyoriginnon-domain-restricted
JSONP enables sharing of data bypassing same-origin policy.

JavaScript

JSclient-side JavaScriptserver-side JavaScript
The policy disallows running JavaScript to read media DOM elements or XHR data fetched from outside the page's origin.

Document Object Model

DOMDocument Object Model (DOM)Browser based
The policy disallows running JavaScript to read media DOM elements or XHR data fetched from outside the page's origin.

Callback (computer programming)

callbackcallbackscallback function
By convention, the server providing the JSON data offers the requesting website to name the JSONP function, typically using the name jsonp or callback as the named query parameter field name, in its request to the server, e.g.,

JQuery

Sizzle
jQuery and other frameworks have JSONP helper functions; there are also standalone options.

MIME

multipart/form-datamedia typeMIME encoded-word
An effort was undertaken around 2011 to define a safer strict subset definition for JSONP that browsers would be able to enforce on script requests with a specific MIME type such as "application/json-p".

Cross-site request forgery

CSRFCross Site Request ForgeryCSRF Protection
Naive deployments of JSONP are subject to cross-site request forgery (CSRF or XSRF) attacks.

Adobe Flash Player

FlashFlash PlayerAdobe Flash
Rosetta Flash is an exploitation technique that allows an attacker to exploit servers with a vulnerable JSONP endpoint by causing Adobe Flash Player to believe that an attacker-specified Flash applet originated on the vulnerable server.

Zlib

zlib wrapper
The exploit uses an ActionScript payload compiled to an SWF file composed entirely of alphanumeric characters by crafting a zlib stream with a particular header and DEFLATE blocks with ad-hoc Huffman coding.

DEFLATE

deflate-decodedeflateddeflating
The exploit uses an ActionScript payload compiled to an SWF file composed entirely of alphanumeric characters by crafting a zlib stream with a particular header and DEFLATE blocks with ad-hoc Huffman coding.

Huffman coding

HuffmanHuffman codehuffman coded
The exploit uses an ActionScript payload compiled to an SWF file composed entirely of alphanumeric characters by crafting a zlib stream with a particular header and DEFLATE blocks with ad-hoc Huffman coding.

Common Vulnerabilities and Exposures

CVECVE IDsCVE-ID
This vulnerability was discovered and published by Google security engineer Michele Spagnuolo and has CVE 2014-4671 and CVE 2014-5333.

Web 2.0

2.0enterprise 2.02.0 web
The original proposal for JSONP, where the padding is a callback function, appears to have been made by Bob Ippolito in December 2005 and is now used by many Web 2.0 applications such as Dojo Toolkit, Google Web Toolkit and Web services.

Dojo Toolkit

DojoDojo Objective Harnessdōjō toolkit
The original proposal for JSONP, where the padding is a callback function, appears to have been made by Bob Ippolito in December 2005 and is now used by many Web 2.0 applications such as Dojo Toolkit, Google Web Toolkit and Web services.

Google Web Toolkit

GWTGoogle Web Toolkit (GWT)GWT Web Toolkit
The original proposal for JSONP, where the padding is a callback function, appears to have been made by Bob Ippolito in December 2005 and is now used by many Web 2.0 applications such as Dojo Toolkit, Google Web Toolkit and Web services.

Web service

web serviceswebserviceservice
The original proposal for JSONP, where the padding is a callback function, appears to have been made by Bob Ippolito in December 2005 and is now used by many Web 2.0 applications such as Dojo Toolkit, Google Web Toolkit and Web services.

Mobile development framework

cross platform mobile web applications frameworksmobile application development frameworkmobile application framework

Ajax (programming)

AjaxAJAX-basedAsynchronous JavaScript and XML
The same-origin policy prevents some Ajax techniques from being used across domains, although the W3C has a draft of the XMLHttpRequest object that would enable this functionality. Methods exist to sidestep this security feature by using a special Cross Domain Communications channel embedded as an iframe within a page, or by the use of JSONP.

Comet (programming)

CometComet (also called "Reverse Ajax)
This creates a potential security risk for both servers involved, though the risk to the data provider (in our case, the Comet server) can be avoided using JSONP.

Literal (computer programming)

literalliteralsliteral constant
Because of this, almost every valid JSON document (except for some subtleties with escaping) is also valid JavaScript code, a fact exploited in the JSONP technique.