Cross Domain Limitations With Ajax - JSON

Question

When requesting (ht|x)ml with ajax you can only send requests to the same domain. But if you request JSON you can send it to any domain. Why?

I'm told it's for security but why would a website do something malicious via ajax rather than just directly if that makes sense.

Answer 1

Here is an example of why someone would hack an AJAX request.

https://blog.codinghorror.com/preventing-csrf-and-xsrf-attacks/

http://directwebremoting.org/blog/joe/2007/04/04/how_to_protect_a_json_or_javascript_service.html

Answer 2

Injecting JSON directly in your page is not secure at all.

You offer to the loaded scripts full access to the resources in your page(data, cookies, logic).

If the injected code is malicious, it can run actions on your server, post back data to their server(POST is allowed cross domain, not the response but your data are sent anyway), etc...

We're building a web app that makes a heavy use of cross domain accesses.
To solve this problem, we came with a rather simple JSONP sandboxing solution.

Answer 3

The reason it's called JSONP has actually little to do with JSON itself. Doing a cross-domain ajax request is as simple as adding the <script src="http://url.com/data.js></script> tag to your HTML web page; this is the base concept of JSONP and cross-domain ajax.

What happens is that the data.js file is interpreted by JavaScript. This gives us the ability to get data from that data.js file (which is located on another domain), if for example it loads a function that is available in the current scope.

Answer 4

Check out this wikipedia article.

The reason why JSON is 'safe' is because you have to pass it through a callback. The remote site will run return JSON and your javascript library will not just run it blindly but try to pass it to a function you specify, like jsonpCallback( response ). Since you aren't running the remote code directly much more is under your control and all is mostly well in the world.