Why is cross-domain JSONP safe, but cross-domainJSON not?

Question

I\'m having trouble connecting some dots having recently learned of JSONP. Here\'s my understanding:

• Cross-domain XmlHttpRequests for any content (including JSON)

Answer 1

I don't know how the perception that JSONP is safe came up but see

JSON-P is, for that reason, seen by many as an unsafe and hacky approach to cross-domain Ajax, and for good reason. Authors must be diligent to only make such calls to remote web services that they either control or implicitly trust, so as not to subject their users to harm.

and

The most critical piece of this proposal is that browser vendors must begin to enforce this rule for script tags that are receiving JSON-P content, and throw errors (or at least stop processing) on any non-conforming JSON-P content.

both quotes from http://json-p.org/ .

other links with some useful information about JSONP/security:

• http://beebole.com/en/blog/general/sandbox-your-cross-domain-jsonp-to-improve-mashup-security/
• Cross Domain Limitations With Ajax - JSON
• JSONP Implications with true REST

all these tell 2 things - basically it is not considered "safe" but there are ideas on how to make it "safer"... though most ideas rely on standardization AND specific check logic to be built into browsers etc.