diff options
| author | Michał Gołębiowski-Owczarek <m.goleb@gmail.com> | 2020-07-27 19:15:57 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-07-27 19:15:57 +0200 |
| commit | e7b3bc488d01d584262e12a7c5c25f935d0d034b (patch) | |
| tree | 1e4f60870089f82a7dae69598a4121d4d778d8ea /test/middleware-mockserver.js | |
| parent | fa0058af426c4e482059214c29c29f004254d9a1 (diff) | |
| download | jquery-e7b3bc488d01d584262e12a7c5c25f935d0d034b.tar.gz jquery-e7b3bc488d01d584262e12a7c5c25f935d0d034b.zip | |
Ajax: Drop the json to jsonp auto-promotion logic
Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was
automatically converted to a jsonp request unless one also specified
`jsonp: false`. Today the preferred way of interacting with a cross-domain
backend is CORS which works in all browsers jQuery 4 will support.
Auto-promoting JSON requests to JSONP ones introduces a security issue as the
developer may be unaware they're not just downloading data but executing code
from a remote domain.
This commit disables the auto-promoting logic.
BREAKING CHANGE: to trigger a JSONP request, it's now required to specify
`dataType: "jsonp"`; previously some requests with `dataType: "json"` were
auto-promoted to JSONP.
Fixes gh-1799
Fixes gh-3376
Closes gh-4754
Diffstat (limited to 'test/middleware-mockserver.js')
| -rw-r--r-- | test/middleware-mockserver.js | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/test/middleware-mockserver.js b/test/middleware-mockserver.js index f6196d230..e3b0bd163 100644 --- a/test/middleware-mockserver.js +++ b/test/middleware-mockserver.js @@ -81,6 +81,9 @@ var mocks = { if ( req.query.header ) { resp.writeHead( 200, { "content-type": "application/json" } ); } + if ( req.query.cors ) { + resp.writeHead( 200, { "access-control-allow-origin": "*" } ); + } if ( req.query.array ) { resp.end( JSON.stringify( [ { name: "John", age: 21 }, { name: "Peter", age: 25 } ] |