Remove jsonp support and associated tests, closes #9108

config/elasticsearch.yml

@@ -294,7 +294,7 @@
 # and master node is elected. Multicast discovery is the default.
 
 # Set to ensure a node sees N other master eligible nodes to be considered
-# operational within the cluster. This should be set to a quorum/majority of 
+# operational within the cluster. This should be set to a quorum/majority of
 # the master-eligible nodes in the cluster.
 #
 #discovery.zen.minimum_master_nodes: 1
@@ -371,11 +371,3 @@
 #monitor.jvm.gc.old.warn: 10s
 #monitor.jvm.gc.old.info: 5s
 #monitor.jvm.gc.old.debug: 2s
-
-################################## Security ################################
-
-# Uncomment if you want to enable JSONP as a valid return transport on the
-# http server. With this enabled, it may pose a security risk, so disabling
-# it unless you need it is recommended (it is disabled by default).
-#
-#http.jsonp.enable: true

docs/reference/api-conventions.asciidoc

@@ -243,23 +243,6 @@ field names in the result will be returned in camel casing, otherwise,
 underscore casing will be used. Note, this does not apply to the source
 document indexed.
 
-[float]
-=== JSONP
-
-By default JSONP responses are disabled.
-
-When enabled, all REST APIs accept a `callback` parameter
-resulting in a http://en.wikipedia.org/wiki/JSONP[JSONP] result. You can enable
-this behavior by adding the following to `config.yaml`:
-
-    http.jsonp.enable: true
-
-Please note, when enabled, due to the architecture of Elasticsearch, this may pose
-a security risk. Under some circumstances, an attacker may be able to exfiltrate
-data in your Elasticsearch server if they're able to force your browser to make a
-JSONP request on your behalf (e.g. by including a <script> tag on an untrusted site
-with a legitimate query against a local Elasticsearch server).
-
 [float]
 === Request body in query string
 

docs/reference/migration/migrate_2_0.asciidoc

@@ -322,3 +322,14 @@ either the HTTP transport (enabled by default) or the node or transport Java cli
 The `count` search type has been deprecated. All benefits from this search type can
 now be achieved by using the `query_then_fetch` search type (which is the
 default) and setting `size` to `0`.
+
+=== JSONP support
+
+JSONP callback support has now been removed. CORS should be used to access Elasticsearch
+over AJAX instead:
+
+[source,yaml]
+---------------
+http.cors.enabled: true
+http.cors.allow-origin: /https?:\/\/localhost(:[0-9]+)?/
+---------------

src/main/java/org/elasticsearch/http/netty/NettyHttpChannel.java

@@ -51,13 +51,6 @@
  */
 public class NettyHttpChannel extends HttpChannel {
 
-    private static final ChannelBuffer END_JSONP;
-
-    static {
-        BytesRef U_END_JSONP = new BytesRef(");");
-        END_JSONP = ChannelBuffers.wrappedBuffer(U_END_JSONP.bytes, U_END_JSONP.offset, U_END_JSONP.length);
-    }
-
     private final NettyHttpServerTransport transport;
     private final Channel channel;
     private final org.jboss.netty.handler.codec.http.HttpRequest nettyRequest;
@@ -149,20 +142,6 @@ public void sendResponse(RestResponse response) {
             } else {
                 buffer = content.copyBytesArray().toChannelBuffer();
             }
-            // handle JSONP
-            String callback = request.param("callback");
-            if (callback != null) {
-                final BytesRef callbackBytes = new BytesRef(callback);
-                callbackBytes.bytes[callbackBytes.length] = '(';
-                callbackBytes.length++;
-                buffer = ChannelBuffers.wrappedBuffer(NettyUtils.DEFAULT_GATHERING,
-                        ChannelBuffers.wrappedBuffer(callbackBytes.bytes, callbackBytes.offset, callbackBytes.length),
-                        buffer,
-                        ChannelBuffers.wrappedBuffer(END_JSONP)
-                );
-                // Add content-type header of "application/javascript"
-                resp.headers().add(HttpHeaders.Names.CONTENT_TYPE, "application/javascript");
-            }
             resp.setContent(buffer);
 
             // If our response doesn't specify a content-type header, set one

src/main/java/org/elasticsearch/rest/RestController.java

@@ -43,7 +43,6 @@
  */
 public class RestController extends AbstractLifecycleComponent<RestController> {
 
-    public static final String HTTP_JSON_ENABLE = "http.jsonp.enable";
     private ImmutableSet<String> relevantHeaders = ImmutableSet.of();
 
     private final PathTrie<RestHandler> getHandlers = new PathTrie<>(RestUtils.REST_DECODER);
@@ -182,26 +181,12 @@ public void dispatchRequest(final RestRequest request, final RestChannel channel
     }
 
     /**
-     * Checks the request parameters against enabled settings for JSONP and error trace support
+     * Checks the request parameters against enabled settings for error trace support
      * @param request
      * @param channel
      * @return true if the request does not have any parameters that conflict with system settings
      */
     boolean checkRequestParameters(final RestRequest request, final RestChannel channel) {
-        // If JSONP is disabled and someone sends a callback parameter we should bail out before querying
-        if (!settings.getAsBoolean(HTTP_JSON_ENABLE, false) && request.hasParam("callback")) {
-            try {
-                XContentBuilder builder = channel.newBuilder();
-                builder.startObject().field("error","JSONP is disabled.").endObject().string();
-                RestResponse response = new BytesRestResponse(FORBIDDEN, builder);
-                response.addHeader("Content-Type", "application/javascript");
-                channel.sendResponse(response);
-            } catch (IOException e) {
-                logger.warn("Failed to send response", e);
-            }
-            return false;
-        }
-
         // error_trace cannot be used when we disable detailed errors
         if (channel.detailedErrorsEnabled() == false && request.paramAsBoolean("error_trace", false)) {
             try {