Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
Deprecate JSONP support and update MappingJackson2JsonView defaults [SPR-16798] #21338
MappingJacksonJsonView class started supporting JSONP callback by default which can make applications vulnerable to JSONP Hijacking when developers upgrade their application to Spring 4.1 without realizing JSONP support coming with upgrade.
It would be helpful if we can avoid cross-domain requests by default unless developers wanted to turn it on explicitly.
Reference URL: #12994
Backported to: 4.3.18
Sébastien Deleuze commented
Indeed, like we require CORS explicit configuration, I guess it make sense to change