Skip to content

refactor(http): Add explicit mention of the dangerosity of JSONP on the API entries#69168

Open
JeanMeche wants to merge 1 commit into
angular:mainfrom
JeanMeche:dangerous-jsonp
Open

refactor(http): Add explicit mention of the dangerosity of JSONP on the API entries#69168
JeanMeche wants to merge 1 commit into
angular:mainfrom
JeanMeche:dangerous-jsonp

Conversation

@JeanMeche
Copy link
Copy Markdown
Member

@JeanMeche JeanMeche commented Jun 4, 2026
edited
Loading

In addition of deprecating JSONP support (#69116) we will remame both the provider function and the module to explicit that JSONP can be an attack vector and should be used with caution
While this is a breaking change, we consider this a hardening change. Also our investigation showed that this API is not widely used.

BREAKING CHANGE: JSONP is considered a liability and its usage in not recommended. The API will be removed in v23. Please transition to CORS-enabled APIs instead.

@JeanMeche JeanMeche requested a review from AndrewKushnir June 4, 2026 21:43
@angular-robot angular-robot Bot added the area: common/http Issues related to HTTP and HTTP Client label Jun 4, 2026
@ngbot ngbot Bot added this to the Backlog milestone Jun 4, 2026
@SkyZeroZx
Copy link
Copy Markdown
Contributor

SkyZeroZx commented Jun 4, 2026

We can also add a warning to the documentation in the HTTP Client section under JSONP.

AndrewKushnir
AndrewKushnir reviewed Jun 4, 2026
View reviewed changes
Comment thread packages/common/http/src/module.ts Outdated
Comment thread packages/common/http/src/module.ts Outdated
Comment thread packages/common/http/public_api.ts Outdated
@pullapprove pullapprove Bot requested review from atscott and crisbeto June 4, 2026 21:56
SkyZeroZx
SkyZeroZx reviewed Jun 4, 2026
View reviewed changes
Comment thread adev/src/content/guide/http/setup.md Outdated
@angular-robot angular-robot Bot added the detected: breaking change PR contains a commit with a breaking change label Jun 4, 2026
@JeanMeche JeanMeche changed the title refactor(http): Add explicit mention of the dangerosity of JSON on th… refactor(http): Add explicit mention of the dangerosity of JSONP on the API entries Jun 4, 2026
@JeanMeche JeanMeche added the target: patch This PR is targeted for the next patch release label Jun 4, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 4, 2026
edited
Loading

Deployed adev-preview for 0cf0001 to: https://ng-dev-previews-fw--pr-angular-angular-69168-adev-prev-dzewvbo7.web.app

Note: As new commits are pushed to this pull request, this link is updated after the preview is rebuilt.

AndrewKushnir
AndrewKushnir reviewed Jun 4, 2026
View reviewed changes
Comment thread adev/src/content/guide/http/setup.md Outdated
@JeanMeche JeanMeche force-pushed the dangerous-jsonp branch 2 times, most recently from e7d110b to ec24ad1 Compare June 4, 2026 22:17
@JeanMeche
refactor(http): Add explicit mention of the dangerosity of JSONP on t…
0cf0001 
…he API entries

In addition of deprecating JSONP support (angular#69116) we will remame both the provider function and the module to explicit that JSONP can be an attack vector and should be used with caution
While this is a breaking change, we consider this a hardening change. Also our investigation showed that this API is not widely used.

BREAKING CHANGE: JSONP is considered a liability and its usage in not recommended. The API will be removed in v23. Please transition to CORS-enabled APIs instead.
@JeanMeche JeanMeche requested review from AndrewKushnir and removed request for atscott and crisbeto June 4, 2026 22:53
@pullapprove pullapprove Bot requested review from atscott June 4, 2026 22:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AndrewKushnir AndrewKushnir Awaiting requested review from AndrewKushnir

@atscott atscott Awaiting requested review from atscott

1 more reviewer

@SkyZeroZx SkyZeroZx SkyZeroZx left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

adev: preview area: common/http Issues related to HTTP and HTTP Client detected: breaking change PR contains a commit with a breaking change target: patch This PR is targeted for the next patch release

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

3 participants

@JeanMeche @SkyZeroZx @AndrewKushnir