有什么理由不使用JSONP吗？

Question

I am developing a REST client which will talk to a project management service called attask .

Their REST API is convenient because it returns simple JSON that is easy to use in my code. Because of this I decided to build the interface with jQuery. I quickly discovered that I cannot use AJAX from my site to the Attask API because of the Same Origin Policy .

My first thought was to develop a server-side rest client using RESTSharp that would act as a bridge between my javascript and the Attask API.

Before I could get started with that implementation I discovered JSONP . This is new to me. It turns out that the Attask API supports JSONP. jQuery supports JSONP natively so suddenly I'm back to making a complete jQuery interface with no need for server-side intervention.

My question is, is there a reason not to use JSONP? Would there be any benefit to going the extra mile and building the server-side REST client and using real AJAX calls?

Answer 1

Just bear in mind that JSONP is exactly what you're looking for: a workaround for the Same Origin Policy. With that will come all the security problems that the Same Origin Policy was intended to avoid. The upside is that you get to choose a specific domain that you trust. The downside is, if that domain decides to violate your trust they can now run arbitrary javascript code on your web pages, allowing them to send any information they want to their own servers.

If you trust 'em, go for it. If you don't, set up your own server-side proxy.