什么是JSONP？ [英] What is JSONP all about?

问题描述

我理解JSON，但不了解JSONP。 维基百科关于JSON的文档是（曾）JSONP的热门搜索结果。它说：

I understand JSON, but not JSONP. Wikipedia's document on JSON is (was) the top search result for JSONP. It says this:

JSONP或带填充的JSON是一个JSON扩展，其中前缀被指定为调用本身的输入参数。

JSONP or "JSON with padding" is a JSON extension wherein a prefix is specified as an input argument of the call itself.

嗯？什么电话？这对我没有任何意义。 JSON是一种数据格式。没有电话。

Huh? What call? That doesn't make any sense to me. JSON is a data format. There's no call.

第二个搜索结果来自名为 Remy 的人，他写了关于JSONP的文章：

The 2nd search result is from some guy named Remy, who writes this about JSONP:

JSONP是脚本标记注入，将响应从服务器传递到用户指定的函数。

JSONP is script tag injection, passing the response from the server in to a user specified function.

我可以理解这一点，但它仍然没有任何意义。

I can sort of understand that, but it's still not making any sense.

那么什么是JSONP？它为什么被创建（它解决了什么问题）？为什么我会用它？

So what is JSONP? Why was it created (what problem does it solve)? And why would I use it?

附录：我刚刚创建了 JSONP的新页面;它现在基于 jvenema 的答案，对JSONP进行了清晰而全面的描述。

Addendum: I've just created a new page for JSONP on Wikipedia; it now has a clear and thorough description of JSONP, based on jvenema's answer.

推荐答案

实际上并不太复杂......

It's actually not too complicated...

假设您在域example.com上，并且您想向域example.net发出请求。要做到这一点，你需要跨越域边界，在大多数浏览器领域都是禁忌。

Say you're on domain example.com, and you want to make a request to domain example.net. To do so, you need to cross domain boundaries, a no-no in most of browserland.

绕过此限制的一项是< script>标签。当您使用脚本标记时，域限制将被忽略，但在正常情况下，您无法执行任何结果，脚本只会被评估。

The one item that bypasses this limitation is <script> tags. When you use a script tag, the domain limitation is ignored, but under normal circumstances, you can't really do anything with the results, the script just gets evaluated.

输入JSONP。当您向启用了JSONP的服务器发出请求时，您会传递一个特殊参数，告诉服务器一些关于您的页面的信息。这样，服务器就能够以您的页面可以处理的方式很好地包装其响应。

Enter JSONP. When you make your request to a server that is JSONP enabled, you pass a special parameter that tells the server a little bit about your page. That way, the server is able to nicely wrap up its response in a way that your page can handle.

例如，假设服务器需要一个名为callback的参数来启用其JSONP功能。然后您的请求将如下所示：

For example, say the server expects a parameter called "callback" to enable its JSONP capabilities. Then your request would look like:

http://www.example.net/sample.aspx?callback=mycallback

如果没有JSONP，这可能会返回一些基本的JavaScript对象，如下所示：

Without JSONP, this might return some basic JavaScript object, like so:

{ foo: 'bar' }

然而，对于JSONP，当服务器收到callback参数时，它会以稍微不同的方式包装结果，返回如下内容：

However, with JSONP, when the server receives the "callback" parameter, it wraps up the result a little differently, returning something like this:

mycallback({ foo: 'bar' });

如您所见，它现在将调用您指定的方法。因此，在您的页面中，您定义了回调函数：

As you can see, it will now invoke the method you specified. So, in your page, you define the callback function:

mycallback = function(data){
  alert(data.foo);
};

现在，当加载脚本时，它将被评估，你的函数将被执行。 Voila，跨域请求！

And now, when the script is loaded, it'll be evaluated, and your function will be executed. Voila, cross-domain requests!

值得注意JSONP的一个主要问题：您失去了对请求的大量控制权。例如，没有好的方法来获取正确的故障代码。结果，您最终使用计时器来监视请求等，这总是有点可疑。 JSONRequest 的提议是允许跨域脚本编写，维护安全性和允许适当控制的绝佳解决方案请求。

It's also worth noting the one major issue with JSONP: you lose a lot of control of the request. For example, there is no "nice" way to get proper failure codes back. As a result, you end up using timers to monitor the request, etc, which is always a bit suspect. The proposition for JSONRequest is a great solution to allowing cross domain scripting, maintaining security, and allowing proper control of the request.

这些天（2015年）， CORS 是与JSONRequest相比的推荐方法。 JSONP对旧的浏览器支持仍然有用，但考虑到安全性的影响，除非你别无选择，否则CORS是更好的选择。

These days (2015), CORS is the recommended approach vs. JSONRequest. JSONP is still useful for older browser support, but given the security implications, unless you have no choice CORS is the better choice.

这篇关于什么是JSONP？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！