Thursday, December 15th, 2005


Category: Programming, Remoting, Security

>Simon Willison, now at Yahoo!, reports that Yahoo! has JSONified itsAPI:

As of today, JSON is supported as an alternative output format for nearly all of Yahoo!’s Web Service APIs. This is a Really Big Deal, because it makes Yahoo!’s APIs available to JavaScript running anywhere on the web without any of the normal problems caused by XMLHttpRequest’s cross domain security policy.

Like JSON itself, the workaround is simple. You can append two arguments to a Yahoo! REST Web Service call:


The page returned by the service will look like this:

myFunction({ JSON data here });

You just need to define myFunction in your code and it will be called when the script is loaded. To make cross-domain requests, just dynamically create your script tags using the DOM

It’s good they’ve offered a simple callback technique, as there’s no such thing on the JSON API offered by Delicious (now part of Yahoo!, coincidence or not?). A callback is more than a convenience; it’s important for the browser to know when the script has been loaded, since it will sometimes be asynchronous. Bob Ippolito’s JSONP idea, posted here last week, is a more general way to support a callback mechanism, so it will be interesting to see if Yahoo! adopt it.

Are we about to see a proliferation of mashup-friendly JSON APIs? Yahoo’s upped the ante here, and if others want to be all “2.0″ and share their data with the world, they’ll have to follow. Most API responses from Technorati, Flicker, et al, probably end up in a browser one way or the other, so sending it there directly might be the easiest thing in many cases. Of course, JSON APIs have their downsides, most importantly the security risk of running third-party scripts.

One thing’s for sure: brace yourself for another exciting round of “Ajax is a Security Hole” :-).

Related Content:

Posted by Michael Mahemoff at 6:51 pm

4.2 rating from 13 votes


Comments feed

Wow… This is huge! This is definitely the next stage of Javascript web application development.

I noticed that if you don’t include a callback, Yahoo returns a proper JSON object (as it should) – a smart move.

Comment by John Resig — December 15, 2005

Here’s a working example: SpiffY!Search.

Comment by Kent Brewster — December 16, 2005

Perhaps we should collectively redefine Ajax to mean “Asynchronous Javascript And eXtensibility”? Then mashup-friendliness could be considered baked-in to the definition, and XML dropped (at last).

Comment by Chris Purcell — December 16, 2005

Now all we need is a general purpose XML to JSON webservice!

Comment by Rich Manalang — December 16, 2005

i’m pleased this cute hack came out of my employer, nice to see someone thinking over there. BUT the javascript security features exist for a reason. yes its trivial to set up a middleware proxy, but at least there was an ISP keeping logs on the traffic that passed through it. maybe this is a long-term good, maybe it will force browser vendors and standards groups to apply a real security model to all in-browser scripting.

in the meantime, i use noscript for firefox and recommend you do the same. globally enabling javascript now seems as insane to me as using telnet and rsh.

Comment by grumpY! — December 17, 2005

I am using this approach, talking to a service that can run for 30-40 seconds and returns json progressively so to speak. Wondering whether anyone has an idea on how to make the function calls happen progressively. Right now everything happens at the end once the service is done. The output looks something like this:

(…4-5 second wait)
(…4-5 second wait)

Obviously I could pack this into an HTML document with enclosing script tags, HTML is rendered progressively so that works fine but that eliminates any chance of access from another domain :) Was hoping to be able to do that without providing a “proxy” on the other domain

Comment by Atli Thorbjornsson — December 21, 2005

Found another great example here:

Comment by Brian — July 11, 2006

Leave a comment

You must be logged in to post a comment.