Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-16798

Deprecate JSONP support and update MappingJackson2JsonView defaults

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: None
    • Fix Version/s: 4.3.18, 5.0.7
    • Component/s: Web
    • Labels:
      None

      Description

      MappingJacksonJsonView class started supporting JSONP callback by default which can make applications vulnerable to JSONP Hijacking when developers upgrade their application to Spring 4.1 without realizing JSONP support coming with upgrade. 

      It would be helpful if we can avoid cross-domain requests by default unless developers wanted to turn it on explicitly.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sdeleuze Sébastien Deleuze
                Reporter:
                meyy Meyyalagan Chandrasekaran
                Last updater:
                Stéphane Nicoll
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  23 weeks, 1 day ago