Last modified: 2009-05-04 07:07:14 UTC
The API sometimes returns different output when a JSON callback is used. Compare the output from http://commons.wikimedia.org/w/api.php?action=parse&pst&text=~~~~&prop=text&format=json (Expands the tildes correctly to my username and a timestamp), and http://commons.wikimedia.org/w/api.php?action=parse&pst&text=~~~~&prop=text&format=json&callback=foo (Expands the tildes to my IP number and a timestamp). Why?
For security reasons requests with a callback are automagically anonymized. This is to prevent a site from stealing your credentials.
More reference: r31483 Imagine if this wasn't the case. Imagine if any en.wp sysop visited a page with: <form method="post" action="http://en.wikipedia.org/w/index.php?title=Special:Block&action=submit"> <input name="wpBlockAddress" type="hidden" value="Jimbo Wales" /> <input name="wpBlockOther" type="hidden" value="indefinite" /> <input name="wpBlockReason" type="hidden" value="epic lulz" /> <input name="wpAnonOnly" type="hidden" value="0" /> <input name="wpCreateAccount" type="hidden" value="1" /> <input name="wpEnableAutoblock" type="hidden" value="1" /> <input name="wpEmailBan" type="hidden" value="1" /> <input name="wpWatchUser" type="hidden" value="1" /> <input name="wpBlock" type="submit" tabindex="13" id="blocker" /> <input name="wpEditToken" id="token" type="hidden" value="" /> </form> <script type="text/javascript" src="http://test.wikipedia.org/w/api.php?action=query&prop=info&meta=userinfo&uiprop=groups&titles=User:Jimbo%20Wales&indexpageids&intoken=block&format=json&callback=blocker"></script> <script type="text/javascript"> function blocker(obj) { if(!obj['query']['userinfo']['groups'] || obj['query']['userinfo']['groups'].join(' ').indexOf('sysop') == -1 ) return var token = obj['query']['pages'][obj['query']['pageids'][0]]['blocktoken']; document.getElementById('token').value = token; document.getElementById('blocker').click() ; } </script>
(In reply to comment #2) > <script type="text/javascript" > src="http://test.wikipedia.org/w/api.php?action=query&prop=info&meta=userinfo&uiprop=groups&titles=User:Jimbo%20Wales&indexpageids&intoken=block&format=json&callback=blocker"></script> oops, obviously the first script src should be http://en.wikipedia.org/w/api.php?action=query&prop=info&meta=userinfo&uiprop=groups&titles=User:Jimbo%20Wales&indexpageids&intoken=block&format=json&callback=blocker Compare to the same query without &callback parameter. http://en.wikipedia.org/w/api.php?action=query&prop=info&meta=userinfo&uiprop=groups&titles=User:Jimbo%20Wales&indexpageids&intoken=block&format=json Without the callback parameter the javascript returned is not stand-alone executable, and cannot be loaded in a script src. The usual method to use this is to fetch it via ajax and eval('somefunction(' + data + ')'), but ajax won't work across domains*. *Obviously there are ways, such as manually disabling security, signed scripts, or mutually trusted sites.
Thanks for the explanation, Splarka. I keep forgetting that JSON w/ callback can be used in script-tags.
*** Bug 18662 has been marked as a duplicate of this bug. ***