Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect and warn about Ajax JSON requests promoted to JSONP #372

Closed
dmethvin opened this issue Jul 19, 2020 · 6 comments · Fixed by #376
Closed

Detect and warn about Ajax JSON requests promoted to JSONP #372

dmethvin opened this issue Jul 19, 2020 · 6 comments · Fixed by #376
Assignees
@mgol
Milestone
3.3.2

Comments

@dmethvin
Copy link
Member

jquery/jquery#4754

Since this is a security-related issue I suspect we won't want to fill it.
@mgol
Copy link
Member

mgol commented Jul 20, 2020

What do you mean by "fill it"?

@dmethvin
Copy link
Member Author

Put the functionality back so it continues to work the same way it does now.

@mgol
Copy link
Member

mgol commented Jul 20, 2020

Yeah, I don't think we want to do that here.

Now, that brings me back to the question of what's the goal of Migrate 3.x. Do we want it to work with jQuery 4 as well or will that one have Migrate 4.x? Because if that's the case then we shouldn't really polyfill any deprecated APIs in Core 3.x but only warn since they're all in source.

@dmethvin
Copy link
Member Author

I would like to avoid another jump like we had with Migrate 1.x where users have to use two (or three!) versions of the Migrate plugin to get to the latest jQuery. Some of the changes in jQuery 1.x made it very difficult to make a single Migrate for everything. I think Migrate 3.x should work with jQuery 4.x.

@mgol
Copy link
Member

mgol commented Jul 20, 2020

I see, makes sense. Too bad we left some of jQuery 1.x/2.x stuff in Migrate 3.x, they'll need to stay longer.

For the sake of this issue, though, I agree, let's not bring back potential security issues, a warning should be fine. Especially that in most cases it should be easy to fix: just change json to jsonp explicitly.

@mgol mgol self-assigned this Jul 22, 2020
@mgol mgol added this to the 3.4.0 milestone Jul 22, 2020
mgol added a commit to mgol/jquery-migrate that referenced this issue Jul 22, 2020
@mgol
Ajax: Warn against automatic JSON-to-JSONP promotion
c2172a0 
Fixes jquerygh-372
Ref jquery/jquery#1799
Ref jquery/jquery#3376
Ref jquery/jquery#4754
@mgol mgol mentioned this issue Jul 22, 2020
Merged
@mgol
Copy link
Member

mgol commented Jul 22, 2020

PR: #376

mgol added a commit to mgol/jquery-migrate that referenced this issue Aug 25, 2020
@mgol
Ajax: Warn against automatic JSON-to-JSONP promotion
e35cd85 
Fixes jquerygh-372
Ref jquery/jquery#1799
Ref jquery/jquery#3376
Ref jquery/jquery#4754
@mgol mgol closed this as completed in #376 Aug 31, 2020
mgol added a commit that referenced this issue Aug 31, 2020
@mgol
Ajax: Warn against automatic JSON-to-JSONP promotion
e9a11f7 
Fixes gh-372
Closes gh-376
Ref jquery/jquery#1799
Ref jquery/jquery#3376
Ref jquery/jquery#4754
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mgol mgol

Labels
None yet
Projects
None yet
Milestone
3.3.2
Development

Successfully merging a pull request may close this issue.

Ajax: Warn against automatic JSON-to-JSONP promotion mgol/jquery-migrate
2 participants
@dmethvin @mgol