JSON
JavaScript Object Notation JSON, pronounced ; also is an open standard file format, and data interchange format, that uses human-readable text to store and transmit data objects consisting of attribute–value pairs and array data types or any other serializable value. It is a very common data format, with a diverse range of applications, such as serving as replacement for XML in AJAX systems.
JSON is a language-independent data format. It was derived from JavaScript, but many modern programming languages include code to generate and parse JSON-format data. The official Internet media type for JSON is application/json. JSON filenames use the extension .json.
Douglas Crockford originally specified the JSON format in the early 2000s. JSON was first standardized in 2013, as ECMA-404. RFC 8259, published in 2017, is the current version of the Internet Standard STD 90, and it remains consistent with ECMA-404. That same year, JSON was also standardized as ISO/IEC 21778:2017. The ECMA and ISO standards describe only the allowed syntax, whereas the RFC covers some security and interoperability considerations.
History
JSON grew out of a need for stateless, real-time server-to-browser communication protocol without using browser plugins such as Flash or Java applets, the dominant methods used in the early 2000s.
Douglas Crockford first specified and popularized the JSON format. The acronym originated at State Software, a company co-founded by Crockford and others in March 2001. The co-founders agreed to build a system that used standard browser capabilities and provided an abstraction layer for Web developers to create stateful Web applications that had a persistent duplex connection to a Web server by holding two Hypertext Transfer Protocol HTTP connections open and recycling them before standard browser time-outs if no further data were exchanged. The co-founders had a round-table discussion and voted whether to call the data format JSML or JSON, as well as under what license type to make it available. Crockford added a clause to the JSON license stating that "The Software shall be used for Good, not Evil," in order to open-source the JSON libraries while mocking corporate lawyers and those who are overly pedantic. Chip Morningstar developed the idea for the State Application Framework at State Software. On the other hand, this clause led to license compatibility problems of the JSON license with other open-source licenses.
A precursor to the JSON libraries was used in a children's digital asset trading game project named Cartoon Orbit at Communities.com the State co-founders had all worked at this company previously for Cartoon Network, which used a browser side plug-in with a proprietary messaging format to manipulate DHTML elements this system is also owned by 3DO. Upon discovery of early Ajax capabilities, digiGroups, Noosh, and others used frames to pass information into the user browsers' visual field without refreshing a Web application's visual context, realizing real-time rich Web applications using only the standard HTTP, HTML and JavaScript capabilities of Netscape 4.0.5+ and IE 5+. Crockford then found that JavaScript could be used as an object-based messaging format for such a system. The system was sold to Sun Microsystems, Amazon.com and EDS. The JSON.org website was launched in 2002. In December 2005, Yahoo! began offering some of its Web services in JSON.
JSON was based on a subset of the JavaScript scripting language specifically, Standard ECMA-262 3rd Edition—December 1999 and is commonly used with JavaScript, but it is a language-independent data format. Code for parsing and generating JSON data is readily available in many programming languages. JSON's website lists JSON libraries by language.
Though JSON was originally advertised and believed to be a strict subset of JavaScript and ECMAScript, it inadvertently allows some unescaped characters in strings that were illegal in JavaScript and ECMAScript string literals. JSON is a strict subset of ECMAScript as of the language's 2019 revision. See Data portability issues below.
In October 2013, Ecma International published the first edition of its JSON standard ECMA-404. That same year, RFC 7158 used ECMA-404 as a reference. In 2014, RFC 7159 became the main reference for JSON's Internet uses, superseding RFC 4627 and RFC 7158 but preserving ECMA-262 and ECMA-404 as main references. In November 2017, ISO/IEC JTC 1/SC 22 published ISO/IEC 21778:2017 as an international standard. On 13 December 2017, the Internet Engineering Task Force obsoleted RFC 7159 when it published RFC 8259, which is the current version of the Internet Standard STD 90.
Data types and syntax
JSON's basic data types are:
Whitespace is allowed and ignored around or between syntactic elements values and punctuation, but not within a string value. Four specific characters are considered whitespace for this purpose: space, horizontal tab, line feed, and carriage return. In particular, the byte order mark must not be generated by a conforming implementation though it may be accepted when parsing JSON. JSON does not provide syntax for comments.
Early versions of JSON such as specified by RFC 4627 required that a valid JSON text must consist of only an object or an array type, which could contain other types within them. This restriction was dropped in RFC 7158, where a JSON text was redefined as any serialized value.
The following example shows a possible JSON representation describing a person.
{
"firstName": "John",
"lastName": "Smith",
"isAlive": true,
"age": 27,
"address": {
"streetAddress": "21 2nd Street",
"city": "New York",
"state": "NY",
"postalCode": "10021-3100"
},
"phoneNumbers": [
{
"type": "home",
"number": "212 555-1234"
},
{
"type": "office",
"number": "646 555-4567"
},
{
"type": "mobile",
"number": "123 456-7890"
}
],
"children": [],
"spouse": null
}
Although Douglas Crockford originally asserted that JSON is a strict subset of JavaScript, his specification actually allows valid JSON documents that are not valid JavaScript; JSON allows the Unicode line terminators U+2028 LINE SEPARATOR and U+2029 PARAGRAPH SEPARATOR to appear unescaped in quoted strings, while ECMAScript 2018 and older does not. This is a consequence of JSON disallowing only "control characters". For maximum portability, these characters should be backslash-escaped. This subtlety is important when generating JSONP.
JSON exchange in an open ecosystem must be encoded in UTF-8. The encoding supports the full Unicode character set, including those characters outside the Basic Multilingual Plane U+10000 to U+10FFFF. However, if escaped, those characters must be written using UTF-16 surrogate pairs, a detail missed by some JSON parsers. For example, to include the Emoji character U+1F610 😐 NEUTRAL FACE in JSON:
{ "face": "😐" }
// or
{ "face": "\uD83D\uDE10" }
Numbers in JSON are agnostic with regard to their representation within programming languages. While this allows for numbers of arbitrary precision to be serialized, it may lead to portability issues. For example, since no differentiation is made between integer and floating-point values, some implementations may treat 42, 42.0, and 4.2E+1 as the same number, while others may not. The JSON standard make no requirements regarding implementation details such as overflow, underflow, loss of precision, rounding, or signed zeros, but it does recommend to expect no more than IEEE 754 binary64 precision for "good interoperability". There is no inherent precision loss in serializing a machine-level binary representation of a floating-point number like binary64 into a human-readable decimal representation like numbers in JSON, and back, since there exist published algorithms to do this exactly and optimally.
Comments were purposefully excluded from JSON. In 2012, Douglas Crockford described his design decision thus: "I removed comments from JSON because I saw people were using them to hold parsing directives, a practice which would have destroyed interoperability."
While JSON provides a syntactic framework for data interchange, unambiguous data interchange also requires agreement between producer and consumer on the semantics of a specific use of the JSON syntax. One example of where such an agreement is necessary is the serialization of data types defined by the JavaScript syntax that are not part of the JSON standard, e.g. Date, Function, Regular Expression, and undefined.
Metadata and schema
The official MIME type for JSON text is "application/json", and most modern implementations have adopted this.
The unofficial MIME type "text/json" or the content-type "text/javascript" also get legacy support by many service providers, browsers, servers, web applications, libraries, frameworks, and APIs. Notable examples include the Google Search API, Yahoo!, Flickr, Facebook API, Lift framework, Dojo Toolkit 0.4, etc.
JSON Schema specifies a JSON-based format to define the structure of JSON data for validation, documentation, and interaction control. It provides a contract for the JSON data required by a given application, and how that data can be modified.
JSON Schema is based on the concepts from XML Schema XSD, but is JSON-based. As in XSD, the same serialization/deserialization tools can be used both for the schema and data; and is self-describing. It is specified in an Internet Draft at the IETF, currently in 2019-09 draft, which was released on September 19, 2019. There are several validators available for different programming languages, each with varying levels of conformance.
There is no standard filename extension, but some have suggested .schema.json.
Example JSON Schema 2019-09:
{
"$schema": "http://json-schema.org/draft/2019-09/schema",
"title": "Product",
"type": "object",
"required": ["id", "name", "price"],
"properties": {
"id": {
"type": "number",
"description": "Product identifier"
},
"name": {
"type": "string",
"description": "Name of the product"
},
"price": {
"type": "number",
"minimum": 0
},
"tags": {
"type": "array",
"items": {
"type": "string"
}
},
"stock": {
"type": "object",
"properties": {
"warehouse": {
"type": "number"
},
"retail": {
"type": "number"
}
}
}
}
}
The JSON Schema above can be used to test the validity of the JSON text below:
{
"id": 1,
"name": "Foo",
"price": 123,
"tags": [
"Bar",
"Eek"
],
"stock": {
"warehouse": 300,
"retail": 20
}
}
The JSON standard does not support object references, but an IETF draft standard for JSON-based object references exists. The Dojo Toolkit supports object references using standard JSON; specifically, the dojox.json.ref module provides support for several forms of referencing including circular, multiple, inter-message, and lazy referencing. Internally both do so by assigning a "$ref" key for such references and resolving it at parse-time; the IETF draft only specifies the URL syntax, but Dojo allows more.
Alternatively, non-standard solutions exist such as the use of Mozilla JavaScript Sharp Variables. However this functionality became obsolete with JavaScript 1.8.5 and was removed in Firefox version 12.
Applications
JSON-RPC is a remote procedure call RPC protocol built on JSON, as a replacement for XML-RPC or SOAP. It is a simple protocol that defines only a handful of data types and commands. JSON-RPC lets a system send notifications information to the server that does not require a response and multiple calls to the server that can be answered out of order. Example of a JSON-RPC 2.0 request and response using positional parameters.
--> {"jsonrpc": "2.0", "method": "subtract", "params": [42, 23], "id": 1}
<-- {"jsonrpc": "2.0", "result": 19, "id": 1}
Asynchronous JavaScript and JSON or AJAJ refers to the same dynamic web page methodology as Ajax, but instead of XML, JSON is the data format. AJAJ is a web development technique that provides for the ability of a webpage to request new data after it has loaded into the web browser. Typically it renders new data from the server in response to user actions on that webpage. For example, what the user types into a search box, client-side code then sends to the server, which immediately responds with a drop-down list of matching database items.
The following JavaScript code is an example of a client using XMLHttpRequest to request data in JSON format from a server. The server-side programming is omitted; it must be set up to service requests to the url containing a JSON-formatted string.
var my_JSON_object;
var http_request = new XMLHttpRequest;
http_request.open"GET", url, true;
http_request.responseType = "json";
http_request.onreadystatechange = function {
var done = 4, ok = 200;
if http_request.readyState === done && http_request.status === ok {
my_JSON_object = http_request.response;
}
};
http_request.sendnull;
While JSON is a data serialization format, it has seen ad hoc usage as a configuration language. In this use case, support for comments and other features have been deemed useful, which has led to several nonstandard JSON supersets being created. Among them are HJSON, HOCON, and JSON5 which despite its name, isn't the fifth version of JSON. The primary objective of version 1.2 of YAML was to make the nonstandard format a strict JSON superset.
In 2012, Douglas Crockford had this to say about comments in JSON when used as a configuration language: "I know that the lack of comments makes some people sad, but it shouldn't. Suppose you are using JSON to keep configuration files, which you would like to annotate. Go ahead and insert all the comments you like. Then pipe it through JSMin before handing it to your JSON parser."
Security considerations
JSON is intended as a data serialization format. However, its design as a subset of JavaScript can lead to the misconception that it is safe to pass JSON texts to the JavaScript eval function. This is not safe, due to the fact that certain valid JSON texts, specifically those containing U+2028 or U+2029, are actually not valid JavaScript code.
To avoid the many pitfalls caused by executing arbitrary code from the Internet, a new function, JSON.parse was first added to the fifth edition of ECMAScript, which as of 2017 is supported by all major browsers. For non-supported browsers, an API-compatible JavaScript library is provided by Douglas Crockford. In addition, the TC39 proposal "Subsume JSON" made ECMAScript a strict JSON superset as of the language's 2019 revision.
Various JSON parser implementations have suffered from denial-of-service attack and mass assignment vulnerability.
Comparison with other formats
JSON is promoted as a low-overhead alternative to XML as both of these formats have widespread support for creation, reading, and decoding in the real-world situations where they are commonly used. Apart from XML, examples could include CSV and YAML a superset of JSON. Also, Google Protocol Buffers can fill this role, although it is not a data interchange language.
]
YAML supports comments, while JSON does not.
XML has been used to describe structured data and to serialize objects. Various XML-based protocols exist to represent the same kind of data structures as JSON for the same kind of data interchange purposes. Data can be encoded in XML in several ways. The most expansive form using tag pairs results in a much larger representation than JSON, but if data is stored in attributes and 'short tag' form where the closing tag is replaced with '/>', the representation is often about the same size as JSON or just a little larger. However, an XML attribute can only have a single value and each attribute can appear at most once on each element.
XML separates "data" from "metadata" via the use of elements and attributes, while JSON does not have such a concept.
Another key difference is the addressing of values. JSON has objects with a simple "key" → "value" mapping, whereas in XML addressing happens on "nodes", which all receive a unique ID via the XML processor. Additionally, the XML standard defines a common attribute "xml:id", that can be used by the user, to set an ID explicitly.
XML tag names cannot contain any of the characters !"#$%&'*+,/;<=>?@[\]^`{|}~, nor a space character, and cannot begin with "-", ".", or a numeric digit, whereas JSON keys can even if quotation mark and reverse solidus must be escaped.
XML values are strings of characters, with no built-in type safety. XML has the concept of schema, that permits strong typing, user-defined types, predefined tags, and formal structure, allowing for formal validation of an XML stream. JSON has strong typing built-in, and has a similar schema concept in JSON Schema.
XML supports comments, while JSON does not.
{
"first name": "John",
"last name": "Smith",
"age": 25,
"address": {
"street address": "21 2nd Street",
"city": "New York",
"state": "NY",
"postal code": "10021"
},
"phone numbers": [
{
"type": "home",
"number": "212 555-1234"
},
{
"type": "fax",
"number": "646 555-4567"
}
],
"sex": {
"type": "male"
}
}
Both of the following examples carry the same kind of information as the JSON example above in different ways, except that XML doesn't carry the data type.
The JSON text above is also entirely valid YAML. YAML also offers an alternative syntax intended to be more human-accessible by replacing nested delimiters like {}, [], and " marks with indentation.
first name: John
last name: Smith
age: 25
address:
street address: 21 2nd Street
city: New York
state: NY
postal code: '10021'
phone numbers:
- type: home
number: 212 555-1234
- type: fax
number: 646 555-4567
sex:
type: male
Note that the XML examples below don't encode the data type e.g. that age is a number, and would need something like a schema to encode the same information as the JSON example above does as is. Note that the tag names are in camelCase, since XML tag names cannot have spaces in them in contrast to JSON and YAML keys, although many programmers use Snake_case to overcome this limitation i.e. <ken_block>.
<person>
<firstName>John</firstName>
<lastName>Smith</lastName>
<age>25</age>
<address>
<streetAddress>21 2nd Street</streetAddress>
<city>New York</city>
<state>NY</state>
<postalCode>10021</postalCode>
</address>
<phoneNumbers>
<phoneNumber>
<type>home</type>
<number>212 555-1234</number>
</phoneNumber>
<phoneNumber>
<type>fax</type>
<number>646 555-4567</number>
</phoneNumber>
</phoneNumbers>
<sex>
<type>male</type>
</sex>
</person>
The properties can also be serialized using attributes instead of tags:
<person firstName="John" lastName="Smith" age="25">
<address streetAddress="21 2nd Street" city="New York" state="NY" postalCode="10021" />
<phoneNumbers>
<phoneNumber type="home" number="212 555-1234"/>
<phoneNumber type="fax" number="646 555-4567"/>
</phoneNumbers>
<sex type="male"/>
</person>