Hacker News new | past | comments | ask | show | jobs | submit login

This seems to be the main advantage:

"Unlike JSONP, untrusted third-party JavaScript cannot execute in the context of the calling page."

Edit: It looks like they create an iframe, load the css, and parse the data using javascript, so it seems to be fairly safe.




Executing "untrusted" 3rd party JavaScript in the context of the calling page is the whole point of JSONP.

Cool hack, but I don't see where this is useful.


I want data from a 3rd party API _not_ code. If I call Google's search API I want to get back an array of search results, but they can run arbitrary code on my page if they feel like it.

I want them to call back my supplied function with the data. That I have to allow them to execute arbitrary code they supply to do that is a flaw.

Having said that, using CSS as the delivery mechanism seems pretty exotic, so I'm not advocating this as the solution, but there is a problem out there.


You could just not make js requests to untrusted 3rd parties...but point taken...sort of




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: