Using JSONP

  • Article

JSON Padding (JSONP) is a mechanism that enables cross-site scripting support in Web browsers. JSONP is designed around the ability of Web browsers to load scripts from a site different from the one the current loaded document was retrieved from. The mechanism works by padding the JSON payload with a user-defined callback function name, as shown in the following example.

callback({"a" = \"b\" });

In the preceding example the JSON payload, {"a" = \"b\"}, is wrapped in a function call, callback. The callback function must already be defined in the current Web page. The content type of a JSONP response is “application/javascript”.

Using JSONP

JSONP is not automatically enabled. To enable it, set the javascriptCallbackEnabled attribute to true on one of the HTTP standard endpoints (WebHttpEndpoint or WebScriptEndpoint), as shown in the following example.

<system.serviceModel>
    <standardEndpoints>
      <webHttpEndpoint>
        <standardEndpoint name="" javascriptCallbackEnabled="true"/>
      </webHttpEndpoint>
    </standardEndpoints>   
  </system.serviceModel>

The name of the callback function can be specified in a query variable called callback as shown in the following URL.

http://baseaddress/Service/RestService?callback=functionName

When invoked, the service sends a response like the following.

functionName({"root":"Something});

You can also specify the callback function name by applying the JavascriptCallbackBehaviorAttribute to the service class, as shown in the following example.

[ServiceContract]
[JavascriptCallbackBehavior(ParameterName = "$callback")]
public class Service1
{
    [OperationContract]
    [WebGet(ResponseFormat=WebMessageFormat.Json)]
    public string GetData()
    {            
    }
}

For the service shown previously, a request looks like the following.

http://baseaddress/Service/RestService?$callback=anotherFunction

When invoked, the service responds with the following.

anotherFunction ({"root":"Something});

HTTP Status Codes

JSONP responses with HTTP status codes other than 200 include a second parameter with the numeric representation of the HTTP status code, as shown in the following example.

anotherFunction ({"root":"Something}, 201);

Validations

The following validations are performed when JSONP is enabled:

  • The WCF infrastructure throws an exception if javascriptCallback is enabled, a callback query-string parameter is present in the request and the response format is set to JSON.

  • If the request contains the callback query string parameter but the operation is not an HTTP GET, the callback parameter is ignored.

  • If the callback name is null or empty string the response is not formatted as JSONP.

See Also

Concepts

WCF Web HTTP Programming Model Overview