Deprecate JSONP support and update MappingJackson2JsonView defaults [SPR-16798]

[spring-projects-issues]

Meyyalagan Chandrasekaran opened SPR-16798 and commented

MappingJacksonJsonView class started supporting JSONP callback by default which can make applications vulnerable to JSONP Hijacking when developers upgrade their application to Spring 4.1 without realizing JSONP support coming with upgrade. 

It would be helpful if we can avoid cross-domain requests by default unless developers wanted to turn it on explicitly.

---

Reference URL: #12994

Issue Links:

• Support JSON-P Callback parameters in MappingJacksonJsonView [SPR-8346] #12994 Support JSON-P Callback parameters in MappingJacksonJsonView
• Remove JSONP support [SPR-16914] #21453 Remove JSONP support

Referenced from: commits 8748594, b80c13b

Backported to: 4.3.18

[spring-projects-issues]

Sébastien Deleuze commented

Indeed, like we require CORS explicit configuration, I guess it make sense to change MappingJackson2JsonView#jsonpParameterNames default value to an empty set, and require users to invoke MappingJackson2JsonView#setJsonpParameterNames to enable such support explicitly.

Juergen Hoeller Rossen Stoyanchev Despite this being a breaking change, I think I would like to apply this to 5.0 and 4.3 branches as well. Is it ok for you ?

[spring-projects-issues]

Sébastien Deleuze commented

We are going to deprecate JSONP in 4.3.x and 5.0.x branches in favor of CORS and disable it by default in MappingJackson2JsonView by changing jsonpParameterNames to an empty set.

[spring-projects-issues]

Meyyalagan Chandrasekaran commented

Thanks for resolving this issue so quick. Highly Appreciate it!