Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop the json-to-jsonp auto-promoting logic #3376

Closed
mgol opened this issue Oct 24, 2016 · 3 comments · Fixed by #4754
Closed

Drop the json-to-jsonp auto-promoting logic #3376

mgol opened this issue Oct 24, 2016 · 3 comments · Fixed by #4754
Labels
Ajax Behavior Change
Milestone
4.0.0

Comments

@mgol
Copy link
Member

mgol commented Oct 24, 2016
edited
Loading

Description

Currently jQuery.ajax with dataType: 'json' gets automatically converted to a jsonp request unless one also specifies jsonp: false. Today the preferred way of interacting with a cross-domain backend is CORS which has been supported by browsers for a long time (the only roadblock is if someone requires IE 9 support).

Auto-promoting JSON requests to JSONP ones introduces a security issue as the developer may be unaware they're not just downloading data but executing code from a remote domain.

The first step in the migration could be adding code to Migrate that would require requests with dataType: 'json' to always specify jsonp: true jsonp: callbackName or jsonp: false.

Link to test case
@mgol mgol added this to the 4.0.0 milestone Oct 24, 2016
@timmywil timmywil mentioned this issue Oct 24, 2016
Closed
@raphamorim raphamorim mentioned this issue Oct 27, 2016
Closed
2 tasks
@Krinkle
Copy link
Member

Krinkle commented Nov 25, 2016
edited
Loading

I've not seen the promotion behaviour you describe. The following explicit pattern is what I've popularised and encouraged within Wikimedia:

$.ajax({
  url: 'https://remote.example.org/rest/foo',
  dataType: $.support.cors ? 'json' : 'jsonp'
});

Will this continue to use CORS+JSON for modern browsers, using JSONP as fallback only - without requiring additional options to be passed? I'd really like to avoid having to also set jsonp: false (or jsonp: !$.support.cors)

@timmywil
Copy link
Member

I don't think setting jsonp should be required. It can default to false.

mgol added a commit to mgol/jquery that referenced this issue Jul 18, 2020
@mgol
Ajax: Drop the json to jsonp auto-promotion logic
41c9cf4 
Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was
automatically converted to a jsonp request unless one also specified
`jsonp: false`. Today the preferred way of interacting with a cross-domain
backend is CORS which works in all browsers jQuery 4 will support.

Auto-promoting JSON requests to JSONP ones introduces a security issue as the
developer may be unaware they're not just downloading data but executing code
from a remote domain.

This commit disables the auto-promoting logic.

BREAKING CHANGE: to trigger a JSONP request, it's now required to specify
`dataType: "jsonp"`; previously some requests with `dataType: "json"` were
auto-promoted to JSONP.

Fixes jquerygh-3376
@mgol mgol mentioned this issue Jul 18, 2020
Merged
4 tasks
@mgol
Copy link
Member Author

mgol commented Jul 18, 2020

PR: #4754

mgol added a commit to mgol/jquery that referenced this issue Jul 20, 2020
@mgol
Ajax: Drop the json to jsonp auto-promotion logic
b29bbd0 
Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was
automatically converted to a jsonp request unless one also specified
`jsonp: false`. Today the preferred way of interacting with a cross-domain
backend is CORS which works in all browsers jQuery 4 will support.

Auto-promoting JSON requests to JSONP ones introduces a security issue as the
developer may be unaware they're not just downloading data but executing code
from a remote domain.

This commit disables the auto-promoting logic.

BREAKING CHANGE: to trigger a JSONP request, it's now required to specify
`dataType: "jsonp"`; previously some requests with `dataType: "json"` were
auto-promoted to JSONP.

Fixes jquerygh-3376
mgol added a commit to mgol/jquery that referenced this issue Jul 20, 2020
@mgol
Ajax: Drop the json to jsonp auto-promotion logic
b1bece3 
Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was
automatically converted to a jsonp request unless one also specified
`jsonp: false`. Today the preferred way of interacting with a cross-domain
backend is CORS which works in all browsers jQuery 4 will support.

Auto-promoting JSON requests to JSONP ones introduces a security issue as the
developer may be unaware they're not just downloading data but executing code
from a remote domain.

This commit disables the auto-promoting logic.

BREAKING CHANGE: to trigger a JSONP request, it's now required to specify
`dataType: "jsonp"`; previously some requests with `dataType: "json"` were
auto-promoted to JSONP.

Fixes jquerygh-3376
@mgol mgol mentioned this issue Jul 22, 2020
Closed
mgol added a commit to mgol/jquery that referenced this issue Jul 22, 2020
@mgol
Ajax: Drop the json to jsonp auto-promotion logic
5f93f8e 
Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was
automatically converted to a jsonp request unless one also specified
`jsonp: false`. Today the preferred way of interacting with a cross-domain
backend is CORS which works in all browsers jQuery 4 will support.

Auto-promoting JSON requests to JSONP ones introduces a security issue as the
developer may be unaware they're not just downloading data but executing code
from a remote domain.

This commit disables the auto-promoting logic.

BREAKING CHANGE: to trigger a JSONP request, it's now required to specify
`dataType: "jsonp"`; previously some requests with `dataType: "json"` were
auto-promoted to JSONP.

Fixes jquerygh-1799
Fixes jquerygh-3376
mgol added a commit to mgol/jquery-migrate that referenced this issue Jul 22, 2020
@mgol
Ajax: Warn against automatic JSON-to-JSONP promotion
c2172a0 
Fixes jquerygh-372
Ref jquery/jquery#1799
Ref jquery/jquery#3376
Ref jquery/jquery#4754
@mgol mgol mentioned this issue Jul 22, 2020
Merged
mgol added a commit that referenced this issue Jul 27, 2020
@mgol
Ajax: Drop the json to jsonp auto-promotion logic
e7b3bc4 
Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was
automatically converted to a jsonp request unless one also specified
`jsonp: false`. Today the preferred way of interacting with a cross-domain
backend is CORS which works in all browsers jQuery 4 will support.

Auto-promoting JSON requests to JSONP ones introduces a security issue as the
developer may be unaware they're not just downloading data but executing code
from a remote domain.

This commit disables the auto-promoting logic.

BREAKING CHANGE: to trigger a JSONP request, it's now required to specify
`dataType: "jsonp"`; previously some requests with `dataType: "json"` were
auto-promoted to JSONP.

Fixes gh-1799
Fixes gh-3376
Closes gh-4754
mgol added a commit to mgol/jquery-migrate that referenced this issue Aug 25, 2020
@mgol
Ajax: Warn against automatic JSON-to-JSONP promotion
e35cd85 
Fixes jquerygh-372
Ref jquery/jquery#1799
Ref jquery/jquery#3376
Ref jquery/jquery#4754
mgol added a commit to jquery/jquery-migrate that referenced this issue Aug 31, 2020
@mgol
Ajax: Warn against automatic JSON-to-JSONP promotion
e9a11f7 
Fixes gh-372
Closes gh-376
Ref jquery/jquery#1799
Ref jquery/jquery#3376
Ref jquery/jquery#4754
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Ajax Behavior Change
Milestone
4.0.0
Development

Successfully merging a pull request may close this issue.

Ajax: Drop the json to jsonp auto-promotion logic mgol/jquery
3 participants
@Krinkle @timmywil @mgol