Because you can ask the server to appendprepend a prefix to the returned JSON object. E.g
function_prefix(json_object);
in order for the browser to eval
"inline" the JSON string as an expression. This trick makes it possible for the server to "inject" javascript code directly in the Client browser and this with bypassing the "same origin" restrictions.
In other words, you can haveachieve cross-domain data exchange.
Normally, XMLHttpRequest
doesn't permit cross-domain data-exchange directly (one needs to go through a server in the same domain) whereas:
<script src="some_other_domain/some_data.js&prefix=function_prefix
>` one can access data from a domain different than from the origin.
Also worth noting: even though the server should be considered as "trusted" before attempting that sort of "trick", the side-effects of possible change in object format etc. can be contained. If a function_prefix
(i.e. a proper js function) is used to receive the JSON object, the said function can perform checks before accepting/further processing the returned data.