Description

Currently jQuery.ajax with dataType: 'json' gets automatically converted to a jsonp request unless one also specifies jsonp: false. Today the preferred way of interacting with a cross-domain backend is CORS which has been supported by browsers for a long time (the only roadblock is if someone requires IE 9 support).

Auto-promoting JSON requests to JSONP ones introduces a security issue as the developer may be unaware they're not just downloading data but executing code from a remote domain.

The first step in the migration could be adding code to Migrate that would require requests with dataType: 'json' to always specify jsonp: true jsonp: callbackName or jsonp: false.

Link to test case