Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove JSONP support #4270

Closed
kanongil opened this issue Jul 21, 2021 · 1 comment
Closed

Remove JSONP support #4270

kanongil opened this issue Jul 21, 2021 · 1 comment
Labels
breaking changes Change that can breaking existing code feature New functionality or improvement

Comments

@kanongil
Copy link
Contributor

Support plan

  • is this issue currently blocking your project? (yes/no): no
  • is this issue affecting a production system? (yes/no): no

Context

  • node version: any
  • module version: 20.x
  • environment (e.g. node, browser, native): node
  • used with (e.g. hapi application, another framework, standalone, ...):
  • any other relevant information:

What problem are you trying to solve?

Simpler, more secure hapi.

Do you have a new or modified API suggestion to solve the problem?

Remove built-in JSONP support. See https://dev.to/benregenspan/the-state-of-jsonp-and-jsonp-vulnerabilities-in-2021-52ep for some recent insights.

While the JSONP feature does not effect any hapi usage where it is not enabled, it does add a bit of unnecessary maintenance burden and complicates the API. Given that no new projects should ever use this feature, and all use cases can be handled using the built-in CORS support, I say that this is a good candidate for removal in a future breaking release. Any project that still somehow requires it, should be able to handle manually or using a plugin.

@kanongil kanongil added feature New functionality or improvement breaking changes Change that can breaking existing code labels Jul 21, 2021
kanongil added a commit to kanongil/hapi that referenced this issue Jul 21, 2021
@hueniverse
Copy link
Contributor

Sounds like a good idea. I wanted to remove it in every release after it was added. If anyone still using JSONP, they are probably on hapi 16...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
breaking changes Change that can breaking existing code feature New functionality or improvement
Projects
None yet
Development

No branches or pull requests

2 participants