Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecate JSONP support and update MappingJackson2JsonView defaults [SPR-16798] #21338

Closed
spring-issuemaster opened this issue May 8, 2018 · 3 comments

Comments

@spring-issuemaster
Copy link
Collaborator

commented May 8, 2018

Meyyalagan Chandrasekaran opened SPR-16798 and commented

MappingJacksonJsonView class started supporting JSONP callback by default which can make applications vulnerable to JSONP Hijacking when developers upgrade their application to Spring 4.1 without realizing JSONP support coming with upgrade. 

It would be helpful if we can avoid cross-domain requests by default unless developers wanted to turn it on explicitly.


Reference URL: #12994

Issue Links:

  • #12994 Support JSON-P Callback parameters in MappingJacksonJsonView
  • #21453 Remove JSONP support

Referenced from: commits 8748594, b80c13b

Backported to: 4.3.18

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Jun 1, 2018

Sébastien Deleuze commented

Indeed, like we require CORS explicit configuration, I guess it make sense to change MappingJackson2JsonView#jsonpParameterNames default value to an empty set, and require users to invoke MappingJackson2JsonView#setJsonpParameterNames to enable such support explicitly.

Juergen Hoeller Rossen Stoyanchev Despite this being a breaking change, I think I would like to apply this to 5.0 and 4.3 branches as well. Is it ok for you ?

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Jun 7, 2018

Sébastien Deleuze commented

We are going to deprecate JSONP in 4.3.x and 5.0.x branches in favor of CORS and disable it by default in MappingJackson2JsonView by changing jsonpParameterNames to an empty set.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Jun 11, 2018

Meyyalagan Chandrasekaran commented

Thanks for resolving this issue so quick. Highly Appreciate it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.