What is JSONP?

July 3, 2013


Today I was asked for some help with understanding the difference between JSON and JSONP, and how to apply the two, so this is a good opportunity to go over some things about how JSON and JSONP are used for AJAX requests, and why issues of security result in some difficulties.

The problem of security

JSONP is a response to wanting to get data from a different website, without exposing yourself to cross-domain security risks. A problem that websites have to face is that someone might add a comment and embed <script> tags within that comment which retrieve code from some other domain, normally for bad purposes. Potentially making things even less secure, is that XMLHttpRequest allows a script to send information at any time, so to help limit the scope for abuse, XMLHttpRequest is restricted to communicating only within the same domain of the page. JSON is a simple data format, expressed using JavaScript objects and arrays, where a script uses XMLHttpRequest to perform an AJAX request that to retrieves information from somewhere else within your domain. This allows the page to obtain the information that it needs without having to reload the page or load up a new page.

Contacting new worlds

But what happens when you require information from somewhere outside of your domain? JSONP is a standard that provides a safe way to do that. A <script> tag on your page is allowed to request information from another domain, for example:

<script type="text/javascript" src="http://code.jquery.com/jquery-1.10.1.js">

but <script> tags must contain valid scripting code, not data. If just JSON data is loaded then that would result in a syntax error. So a function call is wrapped around the data so that the data can then be passed to that function, and processed.

A JSON request

A request from http://www.example.com/get/data might result in the following JSON data:

 "firstName": "John",
 "lastName": "Smith",
 "address": {
 "streetAddress": "21 2nd Street"

But if the above JSON data is loaded in to the <script> tag though, it wouldn’t be valid scripting code. It needs to be either assigned to a function, or passed as an argument to a function.

Wrapping up with JSONP

How JSONP helps to solve the problem is to let your page pass the data to a function. You supply the name of a function name on your page that will handle the data, and the site from where you are requesting the data will wrap the name of your function around the JSON code. This means that the request for JSONP data then becomes: http://www.example.com/get/data?jsonp=parseResponse

 "firstName": "John",
 "lastName": "Smith",
 "address": {
 "streetAddress": "21 2nd Street"

It’s important to note that not all data feeds support JSONP. The purpose is to only allow such forms of communication where you want another website to be able to access that data. When a data location supports JSONP, it can accept a function name that you give it and wrap it around their data.

Easy handling

So now, as long as you already have a function defined called <code>parseResponse</code>, you can then handle that data without any trouble.

function parseResponse(data) {
 // do stuff with data
 // ...

Because there is a potential for security trouble if you always use the same name, libraries such as jQuery use a different name each time.

An example with flickr

What would this look like in actual practice? With jQuery we can come up with a nice and simple example, because jQuery automatically provides a callback function name and passes any response on to the done section of the script. This example uses JSONP to retrieve images and show the first 4 images (counting from 0 to 3) from the public flickr feed, by adding them to an images section on the web page.

var flickerAPI = "http://api.flickr.com/services/feeds/photos_public.gne?jsoncallback=?";
$.getJSON(flickerAPI, {
 tags: "mount rainier",
 tagmode: "any",
 format: "json"
.done(function(data) {
 $.each(data.items, function(i, item) {
 $("<img alt="" />").attr("src", item.media.m).appendTo("#images");
 if (i === 3) {
 return false;

The above example can be seen in action at http://jsfiddle.net/pmw57/S69YU/ where you can play around with it as well.