Not only does it violate the same origin policy, but since the page you are calling from is insecure it has the potential to be interfered with and leak all the data you are trying to keep secure.

它不仅违反了同源策略，而且由于您调用的页面不安全，它有可能受到干扰并泄漏您试图保持安全的所有数据。

Use HTTPS for the entire process.

整个过程使用HTTPS。

Better yet, keep using HTTPS while people are logged in, otherwise you will have the Firesheep problem.

更好的是，在人们登录时继续使用 HTTPS，否则您将遇到Firesheep 问题。

As we've discussed in the comments below, this is what Facebook does for their registration page, although there are some vulnerabilities to this method. While it won't appear secure to the user (no lock icon), the actual request is done over HTTPS. If you controlled the entirety of the receiving page, there would be nothing less secure about doing a JSONP request over GET. However, a man-in-the-middle attack could modify the receiving page on load, and cause the returned credentials to be sent to an attacker.

正如我们在下面的评论中所讨论的，这就是 Facebook 为他们的注册页面所做的，尽管这种方法存在一些漏洞。虽然它对用户来说看起来不安全（没有锁定图标），但实际请求是通过 HTTPS 完成的。如果您控制了整个接收页面，那么通过 GET 执行 JSONP 请求就不会降低安全性。但是，中间人攻击可能会在加载时修改接收页面，并导致将返回的凭据发送给攻击者。

On the plus side though, no one that's just sniffing packets is going to be able to get the credentials: an attack would have to be fairly targeted.

不过，从好的方面来说，只是嗅探数据包的人无法获得凭据：攻击必须具有相当的针对性。

Regarding cookies, technically, JSONP could "return" cookies; you'd just return name-value pairs of the cookies you wanted to set, and have a function on the receiving page set them.

关于cookies，从技术上讲，JSONP可以“返回”cookies；您只需返回要设置的 cookie 的名称-值对，然后在接收页面上设置一个函数即可。

But unless the browser treats <script>s differently, and it might, you should be able to set a cookie in the normal way using the Response Headers of your JSONP response.

但是，除非浏览器对<script>s的处理方式不同，并且可能如此，否则您应该能够使用 JSONP 响应的 Response Headers 以正常方式设置 cookie。