[jQuery] jQuery.ajax() cross-domain JSONP via POST

[jQuery] jQuery.ajax() cross-domain JSONP via POST


Hi there,
I've spotted what appears to be a bug in the jQuery.ajax() code, but I
wanted to touch base here to verify that I am not missing something.
I am attempting to POST some JSON data across domains via jQuery's low-
level .ajax() call; since it is cross-domain, I have to use the JSONP
dataType. Here's the options for my call:
options = {
type: 'POST',
url: query_url,
dataType: 'jsonp',
data: JSON.stringify(query),
processData: false,
contentType: 'application/json',
success: that.processResponse,
error: that.processError,
};
jQuery.ajax(options);
The problem occurs when the jQuery code attempts to automatically
insert a dynamically generated callback function signifier to enable
the round-trip JSONP protocol. I am handing the .ajax() function a
proper JSON string in the options data element, but there does not
appear to be any code in the .ajax() function which expects that
situation.
Here's the regular expression which looks for the HTTP query parameter
style syntax "=?" (1.2.6 line 2587):
var jsonp, jsre = /=\?(&|$)/g, status, data,
Here's the relevant code (1.2.6 lines 2594-2602):
// Handle JSONP Parameter Callbacks
if ( s.dataType == "jsonp" ) {
if ( type == "GET" ) {
if ( !s.url.match(jsre) )
s.url += (s.url.match(/\?/) ? "&" : "?") + (s.jsonp ||
"callback") + "=?";
} else if ( !s.data || !s.data.match(jsre) )
s.data = (s.data ? s.data + "&" : "") + (s.jsonp || "callback") +
"=?";
s.dataType = "json";
}
Since this code falls through the "GET" and then encounters string
data but no match, it appends the callback function name to the JSON
string, resulting in POST data that looks like this:
{"api_key":"blahblahblah"}&callback=jsonp1217951088150
This blows up generally self-respecting JSON parsers on the remote
server.
This will work fine if we can replace a placeholder in the JSON string
that looks like this:
"'callback': ?" or just ": ?" (barring circumstances mentioned
elsewhere where people have attempted to post "?" as a value).
Please let me know if I am misinterpreting our ability to POST data
across domains, misabusing the jQuery.ajax() call, or otherwise
smoking crack.
Thanks,
gf