0

I have created a bookmark that extracts all images from a page when clicked and sends the img's src back to another (remote) server via JSONP.

Problem: The remote server has to check for session authentication cookies to ensure that the user sending the JSONP request is logged in before adding the img src to the database. I am able to check for the session cookies over JSONP, now if the user is not logged in and I want to allow the user to login at this point, how should I present the login screen?

Also, are there any security risks with checking for session cookies over JSONP?

Bookmark's jQuery

The way I am using .getJSON to do JSONP is probably wrong`

$('.thing').on('click', function() {
    var jsonp_url = 'http://mydomain.com/bookmark.js?callback=?';
    var data = {
        type: 'addToLibrary',
        thingImgSrc: 'http://google.com/someimage.jpg';
    };
    $.getJSON(jsonp_url, data, function(resp) {
        // console.log('done');
    });
});

Server response if logged in

addToLibrary(["1"])

Server response if NOT logged in

addToLibrary(["0"])

Callback function

addToLibrary = function(data) {
    if(data == '0') {
        // show login screen
    } else {
        // show OK screen
    }
}

Ideas for User to Login

  1. On receiving ["0"] indicating an error, popup a window showing login form, login will be done normally since the popup window contains a page from the remote server.
  2. On receiving ["0"] indicating an error, popup an AJAX-style modal box on current page containing the login form, login will be done via JSONP.
Nyxynyx
  • 61,411
  • 155
  • 482
  • 830
  • Your server should honour the `callback` parameter that jQuery sends via `$_GET` – Ja͢ck Dec 06 '12 at 13:35
  • Am I right to say that even though the URL supplied to jQuery is `http://mydomain.com/bookmark.js?callback=?`, the actual URL used by jQuery is `http://mydomain.com/bookmark.js?callback=someVariableSetByjQuery`? – Nyxynyx Dec 06 '12 at 13:39

1 Answers1

1

Why not send back an object?

addToLibrary( { "result" : ["registereduser@gmail.com"] } );
addToLibrary( { "error" : true, message : "must log in"  } );

In your function you check for the error or result and handle it that way. No wondering what Zero is.

function addToLibrary(resp) {
    if (resp.error) {
        showLoginPrompt();
    } else {
        addItems(resp.result);
    }
}
epascarello
  • 204,599
  • 20
  • 195
  • 236
  • Great, this is much better! I'm wondering if its necessary to define the `addToLibrary()` callback function? I was hoping that `$.getJSON()`'s callback function will be the JSONP's callback function, `addToLibrary()` in this case.I tried with `.getJSON(url,data, function(){ console.log('hey'); });` but it doesnt seem to be called. – Nyxynyx Dec 06 '12 at 13:18
  • Thanks, I am now using `$.getJSON()` with JSONP the way its intended. Getting a `Resource interpreted as Script but transferred with MIME type text/html:` warning when receiving the JSONP response, I guess I'll create another post for this. – Nyxynyx Dec 06 '12 at 15:47