If you make a client-side getJSON() call with (&callback=) to a site that is rate-limited by IP address, do they see your site or the end-user's?

Question

If your web app uses web service API calls to an external source, some of these sources will rate-limit you based on IP address.

If you make these calls from client-side JavaScript -- meaning that they are triggered by browser actions of the end user -- does the remote site (which sends back the JSON data) see your site's IP address or the IP address of the end-user (for the purpose of this IP address-based rate limiting)?

My understanding is that by using &callback= in the data source URL, you will issue a JSONP request, which means that the address seen by the remote host is that of the end-user and not the address of your site.

For example:

jQuery.getJSON(url+"&callback=?", function(data) {
    alert("Stock Symbol: " + data.symbol + ", Stock Price: " + data.price);
});

Is it correct that a call like the one above would be seen as coming from the end-user's IP address and not from your web app's server IP address?

Answer 1

They see the end user's IP, a JSONP request goes straight from the user's browser to the URL it points to. What you're basically doing by making a JSONP call is adding this to the page:

<script type="text/javascript" src="url?callback=someFunctionName"></script>

This makes the browser just fetch and run that script, which has this content:

someFunctioName({ /* data object */ });