2

Why do browsers allow cross-origin JSONP requests and do not allow JSON requests? I know that JSON requests are not allowed to prevent XSS, but I don't see how JSONP is safer than JSON.

In fact, could JSONP be even more dangerous because it is technically a script, where JSON is just a text string?

user2939415
  • 864
  • 1
  • 11
  • 22

2 Answers2

3

JSONP is not safer. It's a workaround/loophole/hack to get past the same origin policy.

CORS is the safer alternative to JSONP.

Community
  • 1
  • 1
Matt Ball
  • 354,903
  • 100
  • 647
  • 710
  • Why do browsers block JSON requests, when developers can always just use JSONP instead (which is no safer)? What is the point of allowing one but not the other? – user2939415 Jan 24 '14 at 18:34
  • Developers **can't** always use JSONP. The server must support it. – Matt Ball Jan 24 '14 at 19:33
  • So, browsers allow JSONP (and not JSON) because **less** web APIs support JSONP? Is this the reason? – user2939415 Jan 24 '14 at 21:51
  • It's not that browsers "allow" JSONP. A browser can't distinguish between JSONP and a ` – Matt Ball Jan 24 '14 at 21:55
  • I am aware of that ("allow" is just a concise way of saying it). If a browser permits JSONP, then allowing JSON as well will not make a big security difference, right? – user2939415 Jan 24 '14 at 22:15
0

Because cross-domain JSON is blocked, sensitive data can be transmitted using JSON, rather than JSONP. This prevents XSS. Additionally, a server should not send sensitive data using JSONP. Thus, sending data using JSON protects it from unauthorized observation. JSON is safer in this sense.

user2939415
  • 864
  • 1
  • 11
  • 22