Principle Analysis of Jsonp Cross-domain

Last Update:2014-06-29 Source: Internet

Author: User

Tags domain server

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

JavaScript is a front-end dynamic scripting technique that is often used in web Development. In javascript, there is a very important security restriction called "same-origin policy" (same-origin strategy). This strategy is an important restriction on the page content that JavaScript code can access, meaning that JavaScript can only access content under the same domain as the document containing it.JavaScript is especially important when it comes to multi-iframe or Multi-window programming, as well as Ajax Programming. According to this strategy, the JavaScript code contained in the page under Baidu.com cannot access the content of the page under the google.com domain name, and even pages between different subdomains cannot be accessed through JavaScript code. The effect on Ajax is that Ajax requests implemented through XMLHttpRequest cannot submit requests to different domains, such as pages under abc.example.com, cannot submit Ajax requests to def.example.com, and so On.however, when doing some more in-depth front-end programming, it is unavoidable to Cross-domain operation, when the "homologous strategy" is too Harsh. JSONP Cross-domain GET request is a common solution, let's take a look at how Jsonp Cross-domain is implemented, and explore the principle of the next Jsonp cross-domain.The method of submitting HTTP requests to different domains with the method of creating <script> nodes in the page is called jsonp, which solves the problem of submitting Ajax requests across Domains. The working principle of JSONP is as Follows:Assuming that a GET request is submitted to http://example2.com/getinfo.php on this page of http://example1.com/index.php, we can put the following JavaScript code in http// example1.com/index.php this page to Implement:<pre><pre>var elescript= document.createelement ("script"= "text/javascript"= "http://example2.com /getinfo.php ";d ocument.getelementsbytagname (" HEAD ") [0].appendchild (elescript);</pre></pre>When a GET request is returned from http://example2.com/getinfo.php, a piece of JavaScript code can be returned, which is executed automatically and can be used to call http://example1.com/ A callback function in the index.php page.The advantage of JSONP is that it is not subject to the Same-origin policy as AJAX requests implemented by XMLHttpRequest objects, that it is better compatible, that it works in older browsers, and that it does not require XMLHttpRequest or ActiveX support , and after the request is complete, the result can be returned by calling Callback.The disadvantage of JSONP is that it only supports get requests and does not support other types of HTTP requests such as post, which only supports Cross-domain HTTP requests, and does not solve the problem of how to make JavaScript calls between two pages in different domains.One more example:<pre>varQsdata = {' Searchword ': $ ("#searchWord"). attr ("value"), ' Currentuserid ':$("#currentUserId"). attr ("value"), ' conditionbean.pagesize ': $ ("#pageSize"). attr ("value"))};$.ajax ({async:false, url:http://Cross-domain dns/document!searchjsonresult.action,Type: "GET", DataType:' Jsonp ', Jsonp:' Jsoncallback ', data:qsdata, timeout:5000, Beforesend:function(){ //Jsonp Mode This method is not triggered. the reason may be datatype if you specify jsonp, It's not an AJAX event anymore .}, success:function(json) {//client jquery pre-defined callback function, after successfully obtaining the JSON data on the Cross-domain server, will execute this callback function dynamically if(json.actionerrors.length!=0) {alert (json.actionerrors); } gendynamiccontent (qsdata,type,json); }, complete:function(xmlhttprequest, Textstatus) {$.unblockui ({fadeOut:10 }); }, error:function(xhr) {//Jsonp Mode This method is not triggered. the reason may be datatype if you specify jsonp, It's not an AJAX event anymore . //Request Error HandlingAlert ("request Error (please check the correlation network condition.)"); } });</pre>Sometimes you will see this:<pre><pre>$.getjson ("http//cross-domain dns/document!searchjsonresult.action?name1=" +value1+ "&jsoncallback=?" , function (json) { if(json. property name = = Value) {// </pre></pre>This is actually a high-level package of the previous example $.ajax ({..}) api, and some of the $.ajax Api's underlying parameters are encapsulated and not visible.In this way, jquery is assembled into the following URL get request:<pre><pre>http:// cross-domain dns/document!searchjsonresult.action?&jsoncallback=jsonp1236827957501&_= 1236828192549&searchword=%e7%94%a8%e4%be%8b&currentuserid=5351&conditionbean.pagesize=15</pre></pre>On the response side (http///cross-domain dns/document!searchjsonresult.action), via jsoncallback = Request.getparameter ("jsoncallback") Get the jquery end to callback the JS function name:jsonp1236827957501 then response content for a script Tags: "jsonp1236827957501 (" + JSON array generated by request parameter + ")"; jquery will invoke this JS tag:jsonp1236827957501 (json Array) dynamically via callback Method. This achieves the purpose of Cross-domain data exchange.JSONP principleThe most basic principle of jsonp is: adding a <script> tag dynamically, and the SRC attribute of the script tag is not a cross-domain Limitation. In this way, this cross-domain approach is actually unrelated to the Ajax XMLHttpRequest Protocol.In fact, "jquery Ajax Cross-domain problem" has become a pseudo-proposition, jquery $.ajax method name is Misleading.If set to Datatype: ' Jsonp ', This $.ajax method has nothing to do with Ajax xmlhttprequest, instead it is the JSONP Protocol. JSONP is an unofficial protocol that allows the Server-side integration of script tags back to the client to achieve Cross-domain access through JavaScript callback.JSONP is the JSON with Padding. Due to the limitations of the Same-origin policy, XMLHttpRequest only allows resources to be requested for the current source (domain name, protocol, port). If Cross-domain requests are made, we can make Cross-domain requests by using the HTML script tag and return the script code to execute in the response, where the JavaScript object can be passed directly using Json. This Cross-domain communication method is called Jsonp.Jsoncallback function jsonp1236827957501 (...) : A callback function that is registered by the browser client and gets the JSON data on the Cross-domain serverThe JSONP is executed as Follows:First register a callback (for example: ' Jsoncallback ') on the client, and then pass Callback's name (for example: jsonp1236827957501) to the Server. Note: after the server gets the value of callback, use jsonp1236827957501 (...). Include the JSON content that will be output, at which point the server generates JSON data to be properly received by the Client.then, in JavaScript syntax, a function is generated, and the function name is the value jsonp1236827957501 of the parameter ' jsoncallback ' passed up.finally, The JSON data is placed directly into the function in the form of a parameter, so that a document of JS syntax is generated and returned to the Client.The client browser parses the script tag and executes the returned JavaScript document, at which time the JavaScript document data, as parameters, is passed to the Client's pre-defined callback function (as in the previous example, jquery $.ajax () Success:function (json) in the method Encapsulation.Can say Jsonp way principle and <script src= "//cross-domain/...xx.js" ></script> is consistent (qq space is a large number of this way to achieve cross-domain data exchange). JSONP is a script injection (scripts Injection) behavior, So there is a certain security implications.Why does jquery not support the post way cross-domain?Although the use of post+ dynamic generation of IFRAME is possible to achieve the purpose of post Cross-domain (there is a bit of JS cattle is this way to make jquery1.2.5 patch), but this is a more extreme way, not Recommended.can also say get way Cross-domain is legal, post way from security angle, is considered illegal, last but not the sword walk pifo.The need for Client-side Cross-domain access seems to have attracted the attention of the HTML5 WebSocket standard supports Cross-domain data exchange, and should also be a future-selectable cross-domain data exchange Solution.Here's a very simple example:<pre><pre><! DOCTYPE HTML Public "-//w3c//dtd XHTML 1.0 transitional//en" "HTTP://WWW.W3.ORG/TR/XHTML1/DTD/XHTML1-TRANSITIONAL.DTD ">

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More