

Ask HN: XMLHttpRequest, Cross-site scripting and JSONP - iqster

Hi all,<p>I encountered a nasty surprise while coding an app ... wanted to discuss the issue and get thoughts from others. In short, I assumed that it was possible to use XMLHttpRequest from a Javascript application to call Twitter, Facebook and other web-enabled APIs. It turns out that for a service that returns JSON or XML, you can't call a web service (from javascript running inside a browser) that is not in the same domain as the original webpage. (Well ... IE lets you do it, but it gives you a nasty security warning. Other browsers I tried seem to block the request completely). It turns out that there is a workaround ... if the web service returns JSONP, you can use a script tag to make the web service call.<p>I have some specific questions, but would certainly appreciate related thoughts.<p>1) Is this really how it is supposed to work? Am I missing something? If this is how "it" is supposed to work, then "it" is lame.
2) How common is jsonp in web service APIs? Is this a non-standard hack or widely used by web companies.
3) One obvious workaround to the whole mess is to just make the web service calls from the server side and relay data to the client browser. Is this the standard practice?<p>Thanks for any light you may be able to shed on current usage and best practices!
======
mschwar99
I think you'd find a site like stackoverflow to be a more helpful place to ask
a question like this. Certainly there are JS experts around here, but people
tend to be in a different mode when browsing HN and are more up for discussing
tech at a 10,000 foot perspective.

Here is a good summary from SO:
[http://stackoverflow.com/questions/2067472/please-explain-
js...](http://stackoverflow.com/questions/2067472/please-explain-jsonp)

To quickly answer:

1) Yes - Its the browser security model enforcing this rule and not anything
directly related to the DOM. In theory the rule is in place to make cross site
scripting harder. It is bizarre that there is an easy work around like JSONP,
but I'd say lets just be grateful that it exists.

2) Common. Its a hack, but its also useful enough that its widely used.

3) Yes - thats proxying your data. Very common.

~~~
iqster
Thanks so much.

------
yuvadam
[http://stackoverflow.com/questions/2067472/please-explain-
js...](http://stackoverflow.com/questions/2067472/please-explain-jsonp)

