RSS

Most votes on ajax questions 10

Most votes on ajax questions 10. #91 how to bypass Access-Control-Allow-Origin? #92 jQuery Ajax calls and the Html.AntiForgeryToken() #93 Determine if $.ajax error is a timeout #94 JavaScript implementation of Gzip #95 Ajax success event not working #96 When is the @JsonProperty property used and what is it used for? #97 Set timeout for ajax (jQuery) #98 Origin <origin> is not allowed by Access-Control-Allow-Origin #99 What does a Ajax call response like 'for (;;); { json data }' mean? #100 How to communicate between iframe and the parent site?

Read all the top votes questions and answers in a single page.

#91: how to bypass Access-Control-Allow-Origin? (Score: 210)

Created: 2011-09-27 Last updated: 2019-02-02

Tags: javascript, php, jquery, ajax, cors

I’m doing a ajax call to my own server on a platform which they set prevent these ajax calls (but I need it to fetch the data from my server to display retrieved data from my server’s database). My ajax script is working , it can send the data over to my server’s php script to allow it to process. However it cannot get the processed data back as it is blocked by "Access-Control-Allow-Origin"

I have no access to that platform’s source/core. so I can’t remove the script that it disallowing me to do so. (P/S I used Google Chrome’s Console and found out this error)

The Ajax code as shown below:

 $.ajax({
     type: "GET",
     url: "http://example.com/retrieve.php",
     data: "id=" + id + "&url=" + url,
     dataType: 'json',   
     cache: false,
     success: function(data)
      {
        var friend = data[1];              
        var blog = data[2];           
        $('#user').html("<b>Friends: </b>"+friend+"<b><br> Blogs: </b>"+blog);

      } 
  });

or is there a JSON equivalent code to the ajax script above ? I think JSON is allowed.

I hope someone could help me out.

#91 Best answer 1 of how to bypass Access-Control-Allow-Origin? (Score: 384)

Created: 2011-09-27 Last updated: 2021-01-07

Put this on top of retrieve.php:

header('Access-Control-Allow-Origin: *');

Note that this effectively disables CORS protection, and leaves your users exposed to attack. If you’re not completely certain that you need to allow all origins, you should lock this down to a more specific origin:

header('Access-Control-Allow-Origin: https://www.example.com');

Please refer to following stack answer for better understanding of Access-Control-Allow-Origin

https://stackoverflow.com/a/10636765/413670

#91 Best answer 2 of how to bypass Access-Control-Allow-Origin?(Score: 307)

Created: 2013-06-13 Last updated: 2018-08-01

Okay, but you all know that the * is a wildcard and allows cross site scripting from every domain?

You would like to send multiple Access-Control-Allow-Origin headers for every site that’s allowed to - but unfortunately its officially not supported to send multiple Access-Control-Allow-Origin headers, or to put in multiple origins.

You can solve this by checking the origin, and sending back that one in the header, if it is allowed:

$origin = $_SERVER['HTTP_ORIGIN'];
$allowed_domains = [
    'http://mysite1.com',
    'https://www.mysite2.com',
    'http://www.mysite2.com',
];

if (in_array($origin, $allowed_domains)) {
    header('Access-Control-Allow-Origin: ' . $origin);
}

Thats much safer. You might want to edit the matching and change it to a manual function with some regex, or something like that. At least this will only send back 1 header, and you will be sure its the one that the request came from. Please do note that all HTTP headers can be spoofed, but this header is for the client’s protection. Don’t protect your own data with those values. If you want to know more, read up a bit on CORS and CSRF.

Why is it safer?

Allowing access from other locations then your own trusted site allows for session highjacking. I’m going to go with a little example - image Facebook allows a wildcard origin - this means that you can make your own website somewhere, and make it fire AJAX calls (or open iframes) to facebook. This means you can grab the logged in info of the facebook of a visitor of your website. Even worse - you can script POST requests and post data on someone’s facebook - just while they are browsing your website.

Be very cautious when using the ACAO headers!

See also original question in stackoverflow

#92: jQuery Ajax calls and the Html.AntiForgeryToken() (Score: 210)

Created: 2010-11-02 Last updated: 2017-05-23

Tags: asp.net-mvc, ajax, asp.net-mvc-2, csrf, antiforgerytoken

I have implemented in my app the mitigation to CSRF attacks following the informations that I have read on some blog post around the internet. In particular these post have been the driver of my implementation

Basically those articles and recommendations says that to prevent the CSRF attack anybody should implement the following code:

  1. Add the [ValidateAntiForgeryToken] on every action that accept the POST Http verb

    [HttpPost] [ValidateAntiForgeryToken] public ActionResult SomeAction( SomeModel model ) { }

  2. Add the <%= Html.AntiForgeryToken() %> helper inside forms that submits data to the server

    <%= Html.AntiForgeryToken() %>

Anyway in some parts of my app I am doing Ajax POSTs with jQuery to the server without having any form at all. This happens for example where I am letting the user to click on an image to do a specific action.

Suppose I have a table with a list of activities. I have an image on a column of the table that says “Mark activity as completed” and when the user click on that activity I am doing the Ajax POST as in the following sample:

$("a.markAsDone").click(function (event) {
    event.preventDefault();
    $.ajax({
        type: "post",
        dataType: "html",
        url: $(this).attr("rel"),
        data: {},
        success: function (response) {
            // ....
        }
    });
});

How can I use the <%= Html.AntiForgeryToken() %> in these cases? Should I include the helper call inside the data parameter of the Ajax call?

Sorry for the long post and thanks very much for helping out

EDIT:

As per jayrdub answer I have used in the following way

$("a.markAsDone").click(function (event) {
    event.preventDefault();
    $.ajax({
        type: "post",
        dataType: "html",
        url: $(this).attr("rel"),
        data: {
            AddAntiForgeryToken({}),
            id: parseInt($(this).attr("title"))
        },
        success: function (response) {
            // ....
        }
    });
});

#92 Best answer 1 of jQuery Ajax calls and the Html.AntiForgeryToken() (Score: 257)

Created: 2010-11-02 Last updated: 2010-11-02

I use a simple js function like this

AddAntiForgeryToken = function(data) {
    data.__RequestVerificationToken = $('#__AjaxAntiForgeryForm input[name=__RequestVerificationToken]').val();
    return data;
};

Since every form on a page will have the same value for the token, just put something like this in your top-most master page

<%-- used for ajax in AddAntiForgeryToken() --%>
<form id="__AjaxAntiForgeryForm" action="#" method="post"><%= Html.AntiForgeryToken()%></form>	

Then in your ajax call do (edited to match your second example)

$.ajax({
    type: "post",
    dataType: "html",
    url: $(this).attr("rel"),
    data: AddAntiForgeryToken({ id: parseInt($(this).attr("title")) }),
    success: function (response) {
        // ....
    }
});

#92 Best answer 2 of jQuery Ajax calls and the Html.AntiForgeryToken()(Score: 30)

Created: 2012-08-24 Last updated: 2016-04-20

I like the solution provided by 360Airwalk, but it may be improved a bit.

The first problem is that if you make $.post() with empty data, jQuery doesn’t add a Content-Type header, and in this case ASP.NET MVC fails to receive and check the token. So you have to ensure the header is always there.

Another improvement is support of all HTTP verbs with content: POST, PUT, DELETE etc. Though you may use only POSTs in your application, it’s better to have a generic solution and verify that all data you receive with any verb has an anti-forgery token.

$(document).ready(function () {
    var securityToken = $('[name=__RequestVerificationToken]').val();
    $(document).ajaxSend(function (event, request, opt) {
        if (opt.hasContent && securityToken) {   // handle all verbs with content
            var tokenParam = "__RequestVerificationToken=" + encodeURIComponent(securityToken);
            opt.data = opt.data ? [opt.data, tokenParam].join("&") : tokenParam;
            // ensure Content-Type header is present!
            if (opt.contentType !== false || event.contentType) {
                request.setRequestHeader( "Content-Type", opt.contentType);
            }
        }
    });
});

See also original question in stackoverflow

#93: Determine if $.ajax error is a timeout (Score: 209)

Created: 2010-08-22 Last updated: 2014-11-21

Tags: jquery, ajax, connection-timeout

I’m utilizing the magic of jQuery.ajax( settings ).

However, I’m wondering if anyone has played with the timeout setting much?

I know it’s basically for dictating the local time for a request, but can it trigger anything if the timeout is reached? Or does it simply stop listening for a response?

Reading the jQuery site, I can see there are no arguments passed, so it seems like a simple setting with one capability. Which is fine.

But, I’d like to trigger an alert or some function if the timeout is reached. I can see that the error setting doesn’t get triggered, in this case.

Here’s my snippet:

$("form#testform").submit(function(){ 
   
 var allFormValues = $("form#testform").serialize(); 
 
   $.ajax({
    cache:false,
    timeout:8000,  // I chose 8 secs for kicks
    type:"POST",
    url:"someurl.php",
    data:allFormValues,
    error:function(){ alert("some error occurred") },
    success:function(response){ alert(response); }
   });

});

Does anyone know how to work more with timeout?

#93 Best answer of Determine if $.ajax error is a timeout (Score: 359)

Created: 2010-08-22 Last updated: 2017-04-26

If your error event handler takes the three arguments (xmlhttprequest, textstatus, and message) when a timeout happens, the status arg will be ‘timeout’.

Per the jQuery documentation:

Possible values for the second argument (besides null) are “timeout”, “error”, “notmodified” and “parsererror”.

You can handle your error accordingly then.

I created this fiddle that demonstrates this.

$.ajax({
    url: "/ajax_json_echo/",
    type: "GET",
    dataType: "json",
    timeout: 1000,
    success: function(response) { alert(response); },
    error: function(xmlhttprequest, textstatus, message) {
        if(textstatus==="timeout") {
            alert("got timeout");
        } else {
            alert(textstatus);
        }
    }
});​

With jsFiddle, you can test ajax calls – it will wait 2 seconds before responding. I put the timeout setting at 1 second, so it should error out and pass back a textstatus of ‘timeout’ to the error handler.

Hope this helps!

See also original question in stackoverflow

#94: JavaScript implementation of Gzip (Score: 209)

Created: 2008-11-16 Last updated: 2010-10-27

Tags: javascript, ajax, compression, gzip

I’m writing a Web application that needs to store JSON data in a small, fixed-size server-side cache via AJAX (think: Opensocial quotas). I do not have control over the server.

I need to reduce the size of the stored data to stay within a server-side quota, and was hoping to be able to gzip the stringified JSON in the browser before sending it up to the server.

However, I cannot find much in the way of JavaScript implementations of Gzip. Any suggestions for how I can compress the data on the client side before sending it up?

#94 Best answer 1 of JavaScript implementation of Gzip (Score: 144)

Created: 2008-11-16 Last updated: 2013-05-09

Edit There appears to be a better LZW solution that handles Unicode strings correctly at http://pieroxy.net/blog/pages/lz-string/index.html (Thanks to pieroxy in the comments).


I don’t know of any gzip implementations, but the jsolait library (the site seems to have gone away) has functions for LZW compression/decompression. The code is covered under the LGPL.

// LZW-compress a string
function lzw_encode(s) {
    var dict = {};
    var data = (s + "").split("");
    var out = [];
    var currChar;
    var phrase = data[0];
    var code = 256;
    for (var i=1; i<data.length; i++) {
        currChar=data[i];
        if (dict[phrase + currChar] != null) {
            phrase += currChar;
        }
        else {
            out.push(phrase.length > 1 ? dict[phrase] : phrase.charCodeAt(0));
            dict[phrase + currChar] = code;
            code++;
            phrase=currChar;
        }
    }
    out.push(phrase.length > 1 ? dict[phrase] : phrase.charCodeAt(0));
    for (var i=0; i<out.length; i++) {
        out[i] = String.fromCharCode(out[i]);
    }
    return out.join("");
}

// Decompress an LZW-encoded string
function lzw_decode(s) {
    var dict = {};
    var data = (s + "").split("");
    var currChar = data[0];
    var oldPhrase = currChar;
    var out = [currChar];
    var code = 256;
    var phrase;
    for (var i=1; i<data.length; i++) {
        var currCode = data[i].charCodeAt(0);
        if (currCode < 256) {
            phrase = data[i];
        }
        else {
           phrase = dict[currCode] ? dict[currCode] : (oldPhrase + currChar);
        }
        out.push(phrase);
        currChar = phrase.charAt(0);
        dict[code] = oldPhrase + currChar;
        code++;
        oldPhrase = phrase;
    }
    return out.join("");
}

#94 Best answer 2 of JavaScript implementation of Gzip(Score: 54)

Created: 2011-04-12 Last updated: 2011-04-12

I had another problem, I did not want to encode data in gzip but to decode gzipped data. I am running javascript code outside of the browser so I need to decode it using pure javascript.

It took me some time but i found that in the JSXGraph library there is a way to read gzipped data.

Here is where I found the library: http://jsxgraph.uni-bayreuth.de/wp/2009/09/29/jsxcompressor-zlib-compressed-javascript-code/ There is even a standalone utility that can do that, JSXCompressor, and the code is LGPL licencied.

Just include the jsxcompressor.js file in your project and then you will be able to read a base 64 encoded gzipped data:

<!doctype html>
</head>
<title>Test gzip decompression page</title>
<script src="jsxcompressor.js"></script>
</head>
<body>
<script>
	document.write(JXG.decompress('<?php 
        echo base64_encode(gzencode("Try not. Do, or do not. There is no try.")); 
	?>'));
</script>
</html>

I understand it is not what you wanted but I still reply here because I suspect it will help some people.

See also original question in stackoverflow

#95: Ajax success event not working (Score: 207)

Created: 2009-12-28 Last updated: 2018-02-12

Tags: javascript, jquery, ajax

I have a registration form and am using $.ajax to submit it.

This is my AJAX request:

$(document).ready(function() {
    $("form#regist").submit(function() {
        var str = $("#regist").serialize();
        $.ajax({
            type: 'POST',
            url: 'submit1.php',
            data: $("#regist").serialize(),
            dataType: 'json',
            success: function() {
                $("#loading").append("<h2>you are here</h2>");
            }        
        });
        return false;        
    });
});

In my submit1.php file I check for the existence of fields email address and username in the database. I wish to display an error message if those value exist without a page refresh.

How can I add this to the success callback of my AJAX request?

#95 Best answer 1 of Ajax success event not working (Score: 403)

Created: 2009-12-28

The result is probably not in JSON format, so when jQuery tries to parse it as such, it fails. You can catch the error with error: callback function.

You don’t seem to need JSON in that function anyways, so you can also take out the dataType: 'json' row.

#95 Best answer 2 of Ajax success event not working(Score: 20)

Created: 2010-09-19 Last updated: 2010-09-19

Although the problem is already solved i add this in the hope it will help others.

I made the mistake an tried to use a function directly like this (success: OnSuccess(productID)). But you have to pass an anonymous function first:

  function callWebService(cartObject) {
   
    $.ajax({
      type: "POST",
      url: "http://localhost/AspNetWebService.asmx/YourMethodName",
      data: cartObject,
      contentType: "application/x-www-form-urlencoded",
      dataType: "html",
      success: function () {
        OnSuccess(cartObject.productID)
      },
      error: function () {
        OnError(cartObject.productID)
      },
      complete: function () {
        // Handle the complete event
        alert("ajax completed " + cartObject.productID);
      }
    });  // end Ajax        
    return false;
  }

If you do not use an anonymous function as a wrapper OnSuccess is called even if the webservice returns an exception.

See also original question in stackoverflow

#96: When is the @JsonProperty property used and what is it used for? (Score: 204)

Created: 2012-09-25 Last updated: 2017-09-20

Tags: java, ajax, jackson

This bean ‘State’ :

public class State {
	
	private boolean isSet;

	@JsonProperty("isSet")
	public boolean isSet() {
        return isSet;
	}

	@JsonProperty("isSet")
	public void setSet(boolean isSet) {
        this.isSet = isSet;
	}

}

is sent over the wire using the ajax ' success' callback :

        success : function(response) {	
            if(response.State.isSet){	
                alert('success called successfully)
            }

Is the annotation @JsonProperty required here ? What is the advantage of using it ? I think I can remove this annotation without causing any side effects.

Reading about this annotion on https://github.com/FasterXML/jackson-annotations/wiki/Jackson-Annotations I don’t know when this is required to be used ?

#96 Best answer 1 of When is the @JsonProperty property used and what is it used for? (Score: 261)

Created: 2012-09-25 Last updated: 2017-08-25

Here’s a good example. I use it to rename the variable because the JSON is coming from a .Net environment where properties start with an upper-case letter.

public class Parameter {
  @JsonProperty("Name")
  public String name;
  @JsonProperty("Value")
  public String value; 
}

This correctly parses to/from the JSON:

"Parameter":{
  "Name":"Parameter-Name",
  "Value":"Parameter-Value"
}

#96 Best answer 2 of When is the @JsonProperty property used and what is it used for?(Score: 49)

Created: 2013-10-17 Last updated: 2018-09-12

I think OldCurmudgeon and StaxMan are both correct but here is one sentence answer with simple example for you.

@JsonProperty(name), tells Jackson ObjectMapper to map the JSON property name to the annotated Java field’s name.

//example of json that is submitted 
"Car":{
  "Type":"Ferrari",
}

//where it gets mapped 
public static class Car {
  @JsonProperty("Type")
  public String type;
 }

See also original question in stackoverflow

#97: Set timeout for ajax (jQuery) (Score: 203)

Created: 2011-03-07 Last updated: 2014-09-16

Tags: javascript, jquery, html, css, ajax

$.ajax({
    url: "test.html",
    error: function(){
        //do something
    },
    success: function(){
        //do something
    }
});

Sometimes success function works good, sometimes not.

How do I set timeout for this ajax request? In example, 3 seconds, if time is out, then show an error.

The problem is, ajax request freezes the block until finishes. If server is down for a little time, it will never end.

#97 Best answer 1 of Set timeout for ajax (jQuery) (Score: 350)

Created: 2011-03-07 Last updated: 2011-03-07

Please read the $.ajax documentation, this is a covered topic.

$.ajax({
    url: "test.html",
    error: function(){
        // will fire when timeout is reached
    },
    success: function(){
        //do something
    },
    timeout: 3000 // sets timeout to 3 seconds
});

You can get see what type of error was thrown by accessing the textStatus parameter of the error: function(jqXHR, textStatus, errorThrown) option. The options are “timeout”, “error”, “abort”, and “parsererror”.

#97 Best answer 2 of Set timeout for ajax (jQuery)(Score: 119)

Created: 2011-03-07 Last updated: 2016-10-27

Here’s some examples that demonstrate setting and detecting timeouts in jQuery’s old and new paradigmes.

Live Demo

Promise with jQuery 1.8+

Promise.resolve(
  $.ajax({
    url: '/getData',
    timeout:3000 //3 second timeout
  })
).then(function(){
  //do something
}).catch(function(e) {
  if(e.statusText == 'timeout')
  {     
    alert('Native Promise: Failed from timeout'); 
    //do something. Try again perhaps?
  }
});

jQuery 1.8+

$.ajax({
    url: '/getData',
    timeout:3000 //3 second timeout
}).done(function(){
    //do something
}).fail(function(jqXHR, textStatus){
    if(textStatus === 'timeout')
    {     
        alert('Failed from timeout'); 
        //do something. Try again perhaps?
    }
});​

jQuery <= 1.7.2

$.ajax({
    url: '/getData',
    error: function(jqXHR, textStatus){
        if(textStatus === 'timeout')
        {     
             alert('Failed from timeout');         
            //do something. Try again perhaps?
        }
    },
    success: function(){
        //do something
    },
    timeout:3000 //3 second timeout
});

Notice that the textStatus param (or jqXHR.statusText) will let you know what the error was. This may be useful if you want to know that the failure was caused by a timeout.

error(jqXHR, textStatus, errorThrown)

A function to be called if the request fails. The function receives three arguments: The jqXHR (in jQuery 1.4.x, XMLHttpRequest) object, a string describing the type of error that occurred and an optional exception object, if one occurred. Possible values for the second argument (besides null) are “timeout”, “error”, “abort”, and “parsererror”. When an HTTP error occurs, errorThrown receives the textual portion of the HTTP status, such as “Not Found” or “Internal Server Error.” As of jQuery 1.5, the error setting can accept an array of functions. Each function will be called in turn. Note: This handler is not called for cross-domain script and JSONP requests.

src: http://api.jquery.com/jQuery.ajax/

See also original question in stackoverflow

#98: Origin <origin> is not allowed by Access-Control-Allow-Origin (Score: 203)

Created: 2013-09-05 Last updated: 2019-02-16

Tags: javascript, node.js, ajax, google-chrome, cors

XMLHttpRequest cannot load http://localhost:8080/api/test. Origin http://localhost:3000 is not allowed by Access-Control-Allow-Origin. 

I read about cross domain ajax requests, and understand the underlying security issue. In my case, 2 servers are running locally, and like to enable cross domain requests during testing.

localhost:8080 - Google Appengine dev server
localhost:3000 - Node.js server

I am issuing an ajax request to localhost:8080 - GAE server while my page is loaded from node server. What is the easiest, and safest ( Don’t want to start chrome with disable-web-security option). If I have to change 'Content-Type', should I do it at node server? How?

#98 Best answer 1 of Origin <origin> is not allowed by Access-Control-Allow-Origin (Score: 221)

Created: 2013-09-05 Last updated: 2020-01-31

Since they are running on different ports, they are different JavaScript origin. It doesn’t matter that they are on the same machine/hostname.

You need to enable CORS on the server (localhost:8080). Check out this site: http://enable-cors.org/

All you need to do is add an HTTP header to the server:

Access-Control-Allow-Origin: http://localhost:3000

Or, for simplicity:

Access-Control-Allow-Origin: *

Thought don’t use “*” if your server is trying to set cookie and you use withCredentials = true

when responding to a credentialed request, server must specify a domain, and cannot use wild carding.

You can read more about withCredentials here

#98 Best answer 2 of Origin <origin> is not allowed by Access-Control-Allow-Origin(Score: 73)

Created: 2016-06-15 Last updated: 2020-02-11

If you need a quick work around in Chrome for ajax requests, this chrome plugin automatically allows you to access any site from any source by adding the proper response header

Chrome Extension Allow-Control-Allow-Origin: *

See also original question in stackoverflow

#99: What does a Ajax call response like 'for (;;); { json data }' mean? (Score: 202)

Created: 2011-06-14 Last updated: 2017-05-23

Tags: ajax, json, facebook

Possible Duplicate:
Why do people put code like “throw 1; <dont be evil>” and “for(;;);” in front of json responses?

I found this kind of syntax being used on Facebook for Ajax calls. I’m confused on the for (;;); part in the beginning of response. What is it used for?

This is the call and response:

GET http://0.131.channel.facebook.com/x/1476579705/51033089/false/p_1524926084=0

Response:

for (;;);{"t":"continue"}

#99 Best answer 1 of What does a Ajax call response like 'for (;;); { json data }' mean? (Score: 157)

Created: 2011-06-14 Last updated: 2011-06-14

I suspect the primary reason it’s there is control. It forces you to retrieve the data via Ajax, not via JSON-P or similar (which uses script tags, and so would fail because that for loop is infinite), and thus ensures that the Same Origin Policy kicks in. This lets them control what documents can issue calls to the API — specifically, only documents that have the same origin as that API call, or ones that Facebook specifically grants access to via CORS (on browsers that support CORS). So you have to request the data via a mechanism where the browser will enforce the SOP, and you have to know about that preface and remove it before deserializing the data.

So yeah, it’s about controlling (useful) access to that data.

#99 Best answer 2 of What does a Ajax call response like 'for (;;); { json data }' mean?(Score: 107)

Created: 2011-08-17 Last updated: 2016-02-19

Facebook has a ton of developers working internally on a lot of projects, and it is very common for someone to make a minor mistake; whether it be something as simple and serious as failing to escape data inserted into an HTML or SQL template or something as intricate and subtle as using eval (sometimes inefficient and arguably insecure) or JSON.parse (a compliant but not universally implemented extension) instead of a “known good” JSON decoder, it is important to figure out ways to easily enforce best practices on this developer population.

To face this challenge, Facebook has recently been going “all out” with internal projects designed to gracefully enforce these best practices, and to be honest the only explanation that truly makes sense for this specific case is just that: someone internally decided that all JSON parsing should go through a single implementation in their core library, and the best way to enforce that is for every single API response to get for(;;); automatically tacked on the front.

In so doing, a developer can’t be “lazy”: they will notice immediately if they use eval(), wonder what is up, and then realize their mistake and use the approved JSON API.

The other answers being provided seem to all fall into one of two categories:

  1. misunderstanding JSONP, or
  2. misunderstanding “JSON hijacking”.

Those in the first category rely on the idea that an attacker can somehow make a request “using JSONP” to an API that doesn’t support it. JSONP is a protocol that must be supported on both the server and the client: it requires the server to return something akin to myFunction({"t":"continue"}) such that the result is passed to a local function. You can’t just “use JSONP” by accident.

Those in the second category are citing a very real vulnerability that has been described allowing a cross-site request forgery via