From Wikipedia, the free encyclopedia
Jump to: navigation, search

JSONP (JSON with Padding or JSON-P[1]) is a technique used by web developers to overcome the cross-domain restrictions imposed by browsers' same-origin policy that limits access to resources retrieved from origins other than the one the page was served by.

JSON stands for "JavaScript Object Notation", a format by which object fields are represented as key-value pairs.

How it works[edit]

To see how this technique works, first consider a URL request that returns JSON data. A JavaScript program might request this URL via XMLHttpRequest, for example. Suppose the user ID of a person Foo is 1234. A browser requesting the URL http://server.example.com/Users/1234, passing the ID of 1234, would receive data (usually dynamically generated) similar to:

    "Name": "Foo",
    "Id": 1234,
    "Rank": 7

Here, an HTML <script> element specifies for its src attribute a URL that returns JSON:

1 <script type="application/javascript"
2         src="http://server.example.com/Users/1234">
3 </script>

The browser will, in order, download the script file, evaluate its contents, interpret the raw JSON data as a block, and throw a syntax error. Even if the data was interpreted as a JavaScript object literal, it could not be accessed by JavaScript running in the browser, since without a variable assignment, object literals are inaccessible.

In the JSONP usage pattern, the URL request pointed to by the src attribute in the <script> element returns JSON data, with JavaScript code (usually a function call) wrapped around it. This "wrapped payload" is then interpreted by the browser. In this way, a function that is already defined in the JavaScript environment can manipulate the JSON data. A typical JSONP request and response are shown below.

The function call to parseResponse() is the "P" of JSONP—the "padding" around the pure JSON, or according to some[2] the "prefix".

Note that for JSONP to work, a server must reply with a response that includes the JSONP function. JSONP does not work with JSON-formatted results. The JSONP function invocation that gets sent back, and the payload that the function receives, must be agreed-upon by the client and server.

By convention, the browser provides the name of the callback function as a named query parameter value, typically using the name jsonp or callback as the named query parameter field name, in its request to the server, e.g.,

<script type="application/javascript"

In this example, the received payload would be:

parseResponse({"Name": "Foo", "Id": 1234, "Rank": 7});

Script element injection[edit]

JSONP makes sense only when used with a script element. For each new JSONP request, the browser must add a new <script> element, or reuse an existing one. The former option—adding a new script element—is done via dynamic DOM manipulation, and is known as script element injection. The <script> element is injected into the HTML DOM, with the URL of the desired JSONP endpoint set as the "src" attribute. This dynamic script element injection is usually done by a JavaScript helper library. jQuery and other frameworks have JSONP helper functions; there are also standalone options.[3][4][5]

An example of the dynamically injected script element for a JSONP call looks like this:

1 <script type="application/javascript"
2         src="http://server.example.com/Users/1234?callback=parseResponse">
3 </script>

After the element is injected, the browser evaluates the element, and performs an HTTP GET on the src URL, retrieving the content. Then the browser evaluates the return payload as JavaScript. This is typically a function invocation.

In that way, the use of JSONP can be said to allow browser pages to work around the same-origin policy via script element injection.

The script runs within the scope of the including page and, as such, is still subject to cross-domain restrictions relative to the domain of the including page. This means that a web page cannot, for example, load a library hosted on another site via JSONP and then make XMLHttpRequest requests to that site (unless cross-origin resource sharing (CORS) is supported), although one could use such a library to make XMLHttpRequests to one's own site.

Cross-domain requests using a proxy server[edit]

The JavaScript same-origin policy normally prevents browsers from sending AJAX requests to a different domain and receiving a response (newer browsers that support CORS can relax this constraint). A cooperating proxy server, however, does not have such restrictions and can relay a browser request to a server in a separate domain, store the result, and then return that JSON payload when the browser makes a second request. The server would be instructed within the first request to store the output (POST returning JSON payload) temporarily into a local store (for example memcached or within a session variable), and a second request from the browser then would fetch the cached response to the initial query.[6] The xd_arbiter.php used by Facebook's JS SDK is a popular example of this cooperating server technique.[7]

Security concerns[edit]

Untrusted third-party code[edit]

Including script tags from remote servers allows the remote servers to inject any content into a website. If the remote servers have vulnerabilities that allow JavaScript injection, the page served from the original server is exposed to an increased risk. If an attacker can inject any JavaScript into the original web page, then that code can retrieve additional JavaScript from any domain, bypassing same-origin policy.[8] The Content Security Policy HTTP Header lets web sites tell web browsers which domain scripts may be included from.

An effort was undertaken around 2011 to define a safer strict subset definition for JSONP[1] that browsers would be able to enforce on script requests with a specific MIME type such as "application/json-p". If the response did not parse as strict JSONP, the browser could throw an error or just ignore the entire response. However, this approach was abandoned in favour of CORS, and the correct MIME type for JSONP remains application/javascript.[9]

Callback name manipulation and reflected file download attack[edit]

Unsanitized callback names may be used to pass malicious data to clients, bypassing the restrictions associated with application/json content type, as demonstrated in reflected file download (RDF) attack from 2014.[10]

Cross-site request forgery[edit]

Naive deployments of JSONP are subject to cross-site request forgery (CSRF or XSRF) attacks.[11] Because the HTML <script> tag does not respect the same-origin policy in web browser implementations, a malicious page can request and obtain JSON data belonging to another site. This will allow the JSON-encoded data to be evaluated in the context of the malicious page, possibly divulging passwords or other sensitive data if the user is currently logged into the other site.

This is problematic only if the JSON-encoded data contains sensitive information which should not be disclosed to a third party, and the server depends on the same-origin policy of the browser to block the delivery of the data in the case of an unauthorized request. This security dependency on the browser's same-origin policy can be avoided by the server determining if the request is authorized and only putting the data on the wire if it is. Exclusive use of cookies for determining if a request is authorized should be avoided as it is subject to cross-site request forgery.

Rosetta Flash[edit]

Rosetta Flash is an exploitation technique that allows an attacker to exploit servers with a vulnerable JSONP endpoint by causing Adobe Flash Player to believe that an attacker-specified Flash applet originated on the vulnerable server. Flash Player implements same-origin policy allowing to make requests (with cookies) and receive responses from the hosting site. The applet can then send the retrieved data back to the attacker. This is a cross-origin exploit with an impact similar to embedding an arbitrary Flash applet in the vulnerable domain. The exploit uses an ActionScript payload compiled to an SWF file composed entirely of alphanumeric characters by crafting a zlib stream with a particular header and DEFLATE blocks with ad-hoc Huffman coding. The resulting alphanumeric-only SWF file is then used as the callback parameter of a JSONP call. High profile sites such as Google, YouTube, Twitter, Yahoo!, Yandex, LinkedIn, eBay, Instagram and Tumblr were all vulnerable until July 2014.[12] This vulnerability was discovered and published by Google security engineer Michele Spagnuolo[13] and has CVE 2014-4671[14] and CVE 2014-5333.[15] Adobe Flash Player release version, released on July 8, 2014, introduced stronger validation of Flash files,[16] and in version, released on August 12, 2014, finalized the fix,[17] preventing this exploit from working.


In July 2005 George Jempty suggested an optional variable assignment be prepended to JSON.[18][19] The original proposal for JSONP, where the padding is a callback function, appears to have been made by Bob Ippolito in December 2005[20] and is now used by many Web 2.0 applications such as Dojo Toolkit, Google Web Toolkit and Web services.

See also[edit]


  1. ^ a b "Safer cross-domain Ajax with JSON-P/JSONP". JSON-P.org. Retrieved 2011-10-30. 
  2. ^ "Experimental RDF result set to JSON translator". Archived from the original on November 15, 2014. Retrieved February 20, 2012. 
  3. ^ "example jsonp library on pastebin". 
  4. ^ "Basic JSONP helper (pure JS)". 
  5. ^ "jQuery's $.getJSON utility". 
  6. ^ http://www.flinkwise.com/technology-blog/a-way-to-send-json-p-post-requests-to-another-domain-with-jquery-and-rails-in-the-back-end/
  7. ^ Kinsey, Sean. "Facebook and Cross domain messaging clarification?". Stack Exchange, Inc. Retrieved 2013-11-22. 
  8. ^ Ben Hayak (2014-10-17). "Same Origin Method Execution" (PDF). Retrieved 2014-10-22. 
  9. ^ Grey, Eli (2010-06-27). "Is this safe for providing JSONP?". stackoverflow.com. Retrieved 2012-09-07. 
  10. ^ Oren Hafif (2014). "Reflected File Download - A New Web Attack Vector". TrustWave. Retrieved 2015-03-25. 
  11. ^ Grossman, Jeremiah (January 27, 2006). "Advanced Web Attack Techniques using GMail". Retrieved July 3, 2009. 
  12. ^ Michele, Spagnuolo. "Abusing JSONP with Rosetta Flash". Retrieved July 20, 2014. 
  13. ^ "Google - list of software vulnerabilities discovered or fixed by Googlers". Retrieved July 29, 2014. 
  14. ^ "MITRE: CVE-2014-4671". Retrieved July 29, 2014. 
  15. ^ "MITRE: CVE-2014-5333". Retrieved August 21, 2014. 
  16. ^ "Adobe Security Bulletin APSB14-17". Retrieved July 29, 2014. 
  17. ^ "Adobe Security Bulletin APSB14-18". Retrieved August 21, 2014. 
  18. ^ "eval'ing JSON". July 19, 2005. Archived from the original on February 12, 2006. 
  19. ^ "json: Message: Re: Comments". August 17, 2005. 
  20. ^ "Remote JSON - JSONP". from __future__ import *. Bob.pythonmac.org. December 5, 2005. Retrieved September 8, 2008. 

External links[edit]