Description
Currently jQuery.ajax with dataType: 'json' gets automatically converted to a jsonp request unless one also specifies jsonp: false. Today the preferred way of interacting with a cross-domain backend is CORS which has been supported by browsers for a long time (the only roadblock is if someone requires IE 9 support).
Auto-promoting JSON requests to JSONP ones introduces a security issue as the developer may be unaware they're not just downloading data but executing code from a remote domain.
The first step in the migration could be adding code to Migrate that would require requests with dataType: 'json' to always specify jsonp: truejsonp: callbackName or jsonp: false.
Link to test case
Description
Currently jQuery.ajax with
dataType: 'json'gets automatically converted to a jsonp request unless one also specifiesjsonp: false. Today the preferred way of interacting with a cross-domain backend is CORS which has been supported by browsers for a long time (the only roadblock is if someone requires IE 9 support).Auto-promoting JSON requests to JSONP ones introduces a security issue as the developer may be unaware they're not just downloading data but executing code from a remote domain.
The first step in the migration could be adding code to Migrate that would require requests with
dataType: 'json'to always specifyjsonp: truejsonp: callbackNameorjsonp: false.Link to test case