在总之，所有的AJAX请求（和交叉窗口脚本）都受到了的同源策略。 JSONP（ JSON与填充）不受同源策略，因为它涉及到添加从外部域到DOM脚本，脚本本身包含对已经存在的客户端上，以JSON作为函数调用的参数已知函数的调用。

In short, all AJAX requests (and cross-window scripting) are subject to the Same Origin Policy. JSONP (JSON with Padding) isn't subject to the Same Origin Policy because it involves adding a script from an external domain to the DOM, the script itself contains a call to a known function that already exists on the client, with the JSON as the function call's argument.

JSONP不能直接返回HTML或XML，但它可以通过包含HTML或XML数据，进而可以添加到DOM或由客户端解析的串的对象。

JSONP can't return HTML or XML directly, but it could pass an object that contains a string of HTML or XML data, which in turn could be added to the DOM or parsed by the client.

例如，JSONP可能会返回：

For instance, a JSONP might return:

jsonp_callback({"Errors":"none","Data":"<div id='externalWidget'>Hello!</div>"});

在这个脚本添加到页面，功能 jsonp_callback 将与JSON对象作为参数执行。这个函数会再添加HTML code页面。

When this script is added to the page, the function jsonp_callback will be executed with the JSON object as its argument. That function would then add the HTML code to the page.

有实现你想要什么的其他方式。例如，如果客户端不需要操纵以任何方式的数据，可以提供通过将由客户的页面的iFrame一个HTML文档小窗口：

There are other ways of achieving what you want. For instance, if the client doesn't need to manipulate the data in any way, you could provide a widget via a HTML document that would be iframed by your client's page:

<iframe id="widget" src="http://mysite.com/widget/v1/" />

如果他们需要操作的数据，他们将阻止同源策略如上文所述。

If they did need to manipulate the data, they would blocked by the Same Origin Policy as outlined above.