Ajax: Drop the json to jsonp auto-promotion logic - jquery.git - jQuery JavaScript Library: https://github.com/jquery/jquery

index : jquery.git

jQuery JavaScript Library: https://github.com/jquery/jquery

www-data

about summary refs log tree commit diff stats

path: root/test/data/csp-ajax-script.js

diff options

author	Michał Gołębiowski-Owczarek <m.goleb@gmail.com>	2020-07-27 19:15:57 +0200
committer	GitHub <noreply@github.com>	2020-07-27 19:15:57 +0200
commit	e7b3bc488d01d584262e12a7c5c25f935d0d034b (patch)
tree	1e4f60870089f82a7dae69598a4121d4d778d8ea /test/data/csp-ajax-script.js
parent	fa0058af426c4e482059214c29c29f004254d9a1 (diff)
download	jquery-e7b3bc488d01d584262e12a7c5c25f935d0d034b.tar.gz jquery-e7b3bc488d01d584262e12a7c5c25f935d0d034b.zip

Ajax: Drop the json to jsonp auto-promotion logic

Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was automatically converted to a jsonp request unless one also specified `jsonp: false`. Today the preferred way of interacting with a cross-domain backend is CORS which works in all browsers jQuery 4 will support. Auto-promoting JSON requests to JSONP ones introduces a security issue as the developer may be unaware they're not just downloading data but executing code from a remote domain. This commit disables the auto-promoting logic. BREAKING CHANGE: to trigger a JSONP request, it's now required to specify `dataType: "jsonp"`; previously some requests with `dataType: "json"` were auto-promoted to JSONP. Fixes gh-1799 Fixes gh-3376 Closes gh-4754

Diffstat (limited to 'test/data/csp-ajax-script.js')

0 files changed, 0 insertions, 0 deletions