Blog
JSONP history and why modern browsers standardized on CORS
Script tags bypassed same-origin for reads but were insecure and limited compared to fetch with CORS.
1 min read
jsonphistorycors
How JSONP worked
Servers wrapped JSON in a callback function name provided by the client via query string.
Browsers executed the script in a global context—no fine-grained error handling or status codes.
Why teams moved on
POST bodies, auth headers, and structured errors map naturally to fetch once CORS is configured.
Content Security Policy and XSS mitigations work better when you avoid injecting arbitrary script endpoints.