How is this JSONP without a callback working?

Question

I'm using a client-side SDK, which creates a script under the hood and attaches it to the <head> , and looks like the following:

<script src="http://foo.com?foo=bar"></script>

Notice that there's no callback parameter.

The response sends back the following (with header Content-Type: application/javascript ):

{ document.cookie="something=thing" }

And it sets the cookie in the browser (I can see when I look at the cookies in the dev tools).

The strange this is, in the URL of the script, there's no callback parameter, as you would normally expect in a JSONP request.

I tried to replicate this behavior by adding a similar script to a local web page and am hitting a local server that returns the same response, but it doesn't set a cookie, unlike the SDK. The SDK itself is pretty simple and I don't see any other magic happening.

Has anyone seen anything like this before? How does it work?

Edit: here is the internal SDK method and sample response

    _jsonp: function(o, e) {
        var t = document.createElement("script");
        t.type = "text/javascript", t.src = e, t.async = !0, document.getElementsByTagName("head")[0].appendChild(t), o.log("SENT JSONP request: " + e)
    },

Sample response:

Response headers

Connection: keep-alive
Content-Encoding: gzip
Content-Length: 158
Content-Type: application/javascript

Response body

{document.cookie=<redacted>}

Answer 1

Despite the method name in the API source code, it isn't JSONP.

JSONP is a JavaScript program which conforms to the specific format of: Contains only a function call, with one argument, which would be JSON if it was taken out of the JavaScript program and put in a JSON file.

JSONP works by injecting a <script> element which loads and executes the JavaScript program.

What you have here is a JavaScript program that doesn't conform to the JSONP format.

It is still a JavaScript program.

Loading with a <script> still works.