I am starting to develop using JSONP to allow my code to be embedded into the site of another company and call my server without being blocked by the same-origin policy.
My question is simply : with this technique, anyone that could inject javascript could easily use JSONP in <script> tags to load content from anywhere he wants so what is the point of same-origin policy if there is this easy workaround?
I understand that the server has to reply with JSONP compatible content but it seems to me that it stays pretty easy to do whatever he wants.
I understand that the server has to reply with JSONP compatible content but it seems to me that it stays pretty easy to do whatever he wants.
No, that's the caveat. The information that is not publicly available is not (or at least should not be) offered as JSONP. Only content that is supposed to be loaded into arbitrary sites (and allow to ignore the SOP) will be offered as JSONP by its owner.
The purpose of the SOP is not to protect against people who are able to inject javascript into arbitrary sites, but to protect arbitrary sites from being embedded into a possibly hostile one.