json and jsonp

The official specifications

Security issues

Same origin security policy

The concept of the web “origin” is defined in RFC 6454. A web page or a Java applet has an origin and is only allowed to connect to resources from that origin.

Communication between applets running in the same browser window are prohibited, so that sibling applets can’t forward information to each other.

JavaScript vs Java

When a Java applet is loaded as part of a page, the origin of the applet is the derived from its URL.

When JavaScript is inserted via the >script<, the origin remains the loaded page.

Bypassing security

How about loading a JavaScript script via a >script< tag with a remote src? This page will be run in your browser with the same origin as the page! The script could even be generated via CGI to contain calls to your other JavaScript functions!

Bypassing security more than once

You can even modify the DOM to load more JavaScript with new >script< tags.

Huh?