JSONP V.S. Ajax (XHR)

[Chris]

First of all, please read this explainations:

JSONP: http://en.wikipedia.org/wiki/JSONP

Ajax (XHR): http://en.wikipedia.org/wiki/XMLHttpRequest

One sentence for them:

JSONP is just loading JS file and then run the code inside JS file when it's loaded, and can cross-domain.

Ajax is using XMLHTTPRequest to request any kind of resource, but cross-domain feature depends on browser implement.

The good part of JSONP:

1. real-time

2. compatible with all browsers

3. easy callback and fallback

4. performance

5. cross-domain

The bad part of JSONP:

1. not safe for passing datas to server

2. controlless in client-side

3. data type is limited (must be a JS file, which means it's a plain text, but don't forget data URI)

The good part of Ajax:

1. more security (post method)

2. can request any kind of data

3. more response information

4. progress track

The bad part of Ajax:

1. cannot cross-domian

2. more jobs on callback and fallback

3. not easy to use

(note: #2, #3 can be improved by third-part library)

Alva (ALW), David (DAA), James (JAT) and I (CHY) had discussed them on Skype.

here's a list of the points:

1. DAA: can use PHP proxy to cross-domain

CHY: but less performance and not real-time

2. ALW: JSONP is more elegant and can be server-side proxy

3. DAA: what about XSS?

JAT: content can be dynamic, may cause server overload

ALW: anyone can access the URL which Ajax uses too (can cause XSS and server overload)

CHY: server-side securiry should be took care of by PHP, not FO

CHY: what JSONP does is the same as <script> tag (load and run codes), you cannot limit it in order to improve server secutiry

4. DAA: at least, ajax, we have another level of protection in the interpreter and JSON parser

JAT: for large site, the static JS is on seperate server, which has no need to process logic, jsonp will generate data according to parameters

CHY: this part is done by PHP/Java/... (filter the request and output safe data)

5. JAT: the server side should be consided

CHY: it depends on server security police, no matter it's using JSONP or not

6. CHY: JSONP doesn't impact the server side security, because of it should not depend on if JSONP is used, if you've really took care of security, attacker cannot hurt your server easily

7. DAA: I am not just restrict the security on the server side, client side security also important. Just to know everybody beware this.

CHY: We cannot do something for it. because you can run JS easily, do you know GM? That's a good example

CHY: What we can do for the security, it's protect user's information well on the server (don't leak them in client-side)

8. JAT: If we just want to implement a client for rich client application, user only has permission to access his own data, it's not suitable to use JSONP (beware of the data that transfered between server and client is not encrypted)

9. DAA: since it is cross-domain, those code return from somebody else server, you don't have control. who knows what it will do.

ALW: Just think about this, you have many sites, let's say A, B(different Domains).  in the site B, you want somethings just like the site A, so we will use jsonp. but, if there is a site C, which is not ours, we should not use jsonp to do this. just make sure the servers(Domains)'s output are under control by ourselves

(yes, everything should be under your control, but you cannot control JS injection from client-side)

BTW, anyone that interested in it, can also have a look at WebSockets: http://en.wikipedia.org/wiki/WebSocket

[James Tang]

Get started with JSONP
http://www.ibm.com/developerworks/web/library/wa-aj-jsonp1/

The idea behind simple: not same-origin policy limitations for <script>

--
James Tang, PHP developer