JSONP or CORS – cross domain requests

Just been reading up about JSONP (JSON with Padding) and how you can use it to get cross domain requests to work. This is normally not allowed in browserland because of XSS (Cross Site Scripting) attacks, so I found it interesting that JSONP has managed to work some magic around this. It’s not a magic bullet because it has its own security implications – mainly because it executes a function on your client with the data that comes back from the remote server. That may not be a good idea if you don’t totally trust that server or it has been compromised. That’s where CORS comes in. CORS (Cross Origin Resource Sharing) allows other HTTPRequest types too, like PUT and DELETE so it’s a bit more flexible than the GET of JSONP. One to remember next time you need to do some cross domain access.






Leave a Reply

Your email address will not be published. Required fields are marked *