Home/ Questions/Q 7526763
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T03:55:23+00:00

As JSONP requests are created in the following way: var script=document.createElement(‘script’); script.src=’url’; script.onLoad=function(){dosomething()}; document.body.appendChild(script);

  • 0

As JSONP requests are created in the following way:

var script=document.createElement('script');
script.src='url';
script.onLoad=function(){dosomething()};
document.body.appendChild(script);

My question is that, is there a w3c standard, cross-browser supported event like onBeforeLoad which in turn let us stop executing downloaded script, in case it is not a well-formed JSONP response, or it is not passing through some predefined scheme validation, or just in case it consists of some harmful code(basic script validation)?
I know of the onBeforeLoad event supported in some browser out there, but focusing on the downloaded script datasource and in any of the reasons stated above,
it would be extemely useful to have cross-browser access to the loading script source, and due to good reasons,
the possibility to stop the execution, just before it is started.

For example the above script could be the following:

var script=document.createElement('script');
script.src='url';
script.onBeforeLoad=function(){
       if(json.parseJson(this.dataSource) && 
          json.validateAgainst(schema,this.dataSource))
       {
          return false;
       }
       else{
          return true;
       }
};
//if onBeforeLoad return true, onLoad will not be fired;
script.onLoad=function(){dosomething()};
document.body.appendChild(script);

I know that JSONP is all about trust in the 3rd party javascript module, hence i sometime wish that if i could validate those modules just before i am using it.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you want to detect whether the JSONP response is more than the JSONP you are expecting, then no, this is not possible.

    If you would be able to read the response, you wouldn’t need JSONP in the first place. Because the main reason to use JSONP is to circumvent the restrictions on accessing the response of XHR requests or via DOM due to the Same-Origin Policy. And the extension of XHR (formerly known as XHR Level 2) that allows cross-origin requests by supporting the CORS specification may not be applicable due to missing support by browsers and/or by servers.

    That’s the main security concern with JSONP: You need to trust the server.

    • 0