Create a gist now

Instantly share code, notes, and snippets.

@tmcw /json.md
Created Aug 15, 2013

Embed
What would you like to do?
Why JSONP is a terrible idea and I will never use it again

Moral Concerns

JSONP is not actually JSON with padding, it's Javascript code that's executed. JSON is not a real subset of Javascript and the way it is not is important to us: via UTFGrid, we are all UTF-8 masters.

JSONP is not safe: it's Javascript that's executed. It's trivial to XSS with JSONP, because JSONP is XSS. Just have a call like mapbox.load('foo.tilejson', …) and if foo.tilejson gets replaced with destroyYoursite(), it gets run. Compare to JSON.parse, which is, on purpose, not eval.

Practical Concerns

JSONP is questionable in terms of performance. To be fast, you want to have the same callback all the time so that you can cache the response. But this leads to a page like

<script>grid('a');</script>
<script>grid('c');</script>
<script>grid('b');</script>

In which the grid function is called by several relatively-anonymous script tags in quick succession. The events browsers give us for script loading suck: the load event isn't the 'evaled and executed' event, it's just the load event. That sucks.

The less performant way to do things is with dynamic callbacks, like foo.php?callback=foobar123213. So every response needs a new request and your cache sucks.

CORS

The future is CORS but it isn't the present: it isn't supported on IE<10. So, we're jfdi'ing it: which means XDomainRequest. Which sucks.

IE sucks, but you choose your kind of suck: the restrictions of XDomainRequest - only the GET HTTP verb, no headers, etc - shouldn't matter to us.

One thing: unlike JSONP, where HTTPS throws a warning but can work, XDomainRequest totally falls flat on HTTP->HTTPS or vice-versa.

What the World Really Needs is an Ajax Library Written By Me

CORSLITE

@tmcw

This comment has been minimized.

Show comment
Hide comment
@47ronin

This comment has been minimized.

Show comment
Hide comment
@47ronin

47ronin Nov 28, 2016

Are most AngularJS $http.jsonp() projects vulnerable, to some extent?

47ronin commented Nov 28, 2016

Are most AngularJS $http.jsonp() projects vulnerable, to some extent?

@aligajani

This comment has been minimized.

Show comment
Hide comment
@aligajani

aligajani Dec 7, 2016

I think so

I think so

@crazytonyi

This comment has been minimized.

Show comment
Hide comment
@crazytonyi

crazytonyi Apr 13, 2018

CORS isn't really the answer, I don't think. Because it's just a check on the remote server to see how they feel about their resource being retrieved from another site. If my intention is to use ajax to get the browser to download some crazy evil shit from a remote URL, I'm going to make sure that the remote site has Access-Control-Allow-Origin: * set.

CORS isn't really the answer, I don't think. Because it's just a check on the remote server to see how they feel about their resource being retrieved from another site. If my intention is to use ajax to get the browser to download some crazy evil shit from a remote URL, I'm going to make sure that the remote site has Access-Control-Allow-Origin: * set.

@danielpaull

This comment has been minimized.

Show comment
Hide comment
@danielpaull

danielpaull Jul 20, 2018

So long as you don't blindly eval() the crazy evil shit then you should be just fine.

So long as you don't blindly eval() the crazy evil shit then you should be just fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment