什么是JSONP,为什么创建了JSONP? [英] What is JSONP, and why was it created?
问题描述
我了解JSON,但不了解JSONP. Wikipedia上有关JSON的文档是JSONP的最高搜索结果.它说:
I understand JSON, but not JSONP. Wikipedia's document on JSON is (was) the top search result for JSONP. It says this:
JSONP或带填充的JSON"是JSON扩展,其中将前缀指定为调用本身的输入参数.
JSONP or "JSON with padding" is a JSON extension wherein a prefix is specified as an input argument of the call itself.
嗯?什么电话这对我来说没有任何意义. JSON是一种数据格式.没有电话.
Huh? What call? That doesn't make any sense to me. JSON is a data format. There's no call.
第二搜索结果来自某个名为雷米,他写了关于JSONP的这篇文章:
The 2nd search result is from some guy named Remy, who writes this about JSONP:
JSONP是脚本标记注入,它将来自服务器的响应传递到用户指定的函数中.
JSONP is script tag injection, passing the response from the server in to a user specified function.
我可以理解,但这仍然没有任何意义.
I can sort of understand that, but it's still not making any sense.
那么JSONP是什么?为什么创建它(它解决了什么问题)?我为什么要使用它?
So what is JSONP? Why was it created (what problem does it solve)? And why would I use it?
附录:我刚刚创建了 JSONP的新页面在Wikipedia上;根据 jvenema 的答案,它现在对JSONP有了清晰而透彻的描述.
Addendum: I've just created a new page for JSONP on Wikipedia; it now has a clear and thorough description of JSONP, based on jvenema's answer.
推荐答案
实际上并不太复杂...
It's actually not too complicated...
假设您在域 example.com 上,并且要向域 example.net 发出请求.为此,您需要跨越域边界,这在大多数浏览器领域都是不可以.
Say you're on domain example.com, and you want to make a request to domain example.net. To do so, you need to cross domain boundaries, a no-no in most of browserland.
绕过此限制的一项是<script>标签.使用脚本标记时,将忽略域限制,但是在正常情况下,您不能真正对结果进行任何任何操作,只是对脚本进行了评估.
The one item that bypasses this limitation is <script> tags. When you use a script tag, the domain limitation is ignored, but under normal circumstances, you can't really do anything with the results, the script just gets evaluated.
输入 JSONP .当您向启用JSONP的服务器发出请求时,您将传递一个特殊的参数,该参数告诉服务器有关您的页面的一些信息.这样,服务器就可以用页面可以处理的方式很好地包装其响应.
Enter JSONP. When you make your request to a server that is JSONP enabled, you pass a special parameter that tells the server a little bit about your page. That way, the server is able to nicely wrap up its response in a way that your page can handle.
例如,假设服务器需要一个名为 callback 的参数来启用其JSONP功能.然后您的请求将如下所示:
For example, say the server expects a parameter called callback to enable its JSONP capabilities. Then your request would look like:
http://www.example.net/sample.aspx?callback=mycallback
如果没有JSONP,这可能会返回一些基本的JavaScript对象,如下所示:
Without JSONP, this might return some basic JavaScript object, like so:
{ foo: 'bar' }
但是,使用JSONP,当服务器接收到"callback"参数时,它对结果的包装会有所不同,返回如下所示:
However, with JSONP, when the server receives the "callback" parameter, it wraps up the result a little differently, returning something like this:
mycallback({ foo: 'bar' });
如您所见,它现在将调用您指定的方法.因此,在页面中,您定义了回调函数:
As you can see, it will now invoke the method you specified. So, in your page, you define the callback function:
mycallback = function(data){
alert(data.foo);
};
现在,加载脚本后,将对其进行评估,然后将执行您的函数.瞧,跨域请求!
And now, when the script is loaded, it'll be evaluated, and your function will be executed. Voila, cross-domain requests!
值得注意的是JSONP的一个主要问题:您失去了对请求的大量控制.例如,没有不错"的方法来找回正确的故障代码.结果,您最终会使用计时器来监视请求等,这总是有点可疑. JSONRequest 的建议是允许跨域脚本编写,维护安全性并允许适当控制的绝佳解决方案的请求.
It's also worth noting the one major issue with JSONP: you lose a lot of control of the request. For example, there is no "nice" way to get proper failure codes back. As a result, you end up using timers to monitor the request, etc, which is always a bit suspect. The proposition for JSONRequest is a great solution to allowing cross domain scripting, maintaining security, and allowing proper control of the request.
这几天(2015年),与JSONRequest相比, CORS 是推荐的方法. JSONP对于较旧的浏览器支持仍然有用,但是考虑到安全隐患,除非您别无选择,否则CORS是更好的选择.
These days (2015), CORS is the recommended approach vs. JSONRequest. JSONP is still useful for older browser support, but given the security implications, unless you have no choice CORS is the better choice.
这篇关于什么是JSONP,为什么创建了JSONP?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
