I was testing the JIRA REST API by issuing a request to get json only to stumble upon this error time and again.
Uncaught SyntaxError: Unexpected token :
I tried the suggestions offered by other developers in vain and then I found this post https://answers.atlassian.com/questions/138618/jira-rest-api-response-suddenly-stopped-sending-jsonp-getting-invalid-label-syntax-error.
Is the JSONP going to still be supported in the coming months or not so I know whether it's worth going on with my project?
Community moderators have prevented the ability to post new answers.
Hi Jeremiah,
Atlassian is planning on discontinuing JSONP on JIRA 6, so I would not recommend you to spend much time on it! Please read this announcement for more information: https://developer.atlassian.com/display/JIRADEV/SOAP+and+XML-RPC+API+Deprecated+in+JIRA+6.0
Hope this information helps!
Cheers,
Marlon
This page provides some futher information regarding this and also provides a workaround for re-enabling JSON-P in JIRA: https://developer.atlassian.com/display/JIRADEV/Preparing+for+JIRA+6.0#PreparingforJIRA6.0-JSON-Pnolongersupported
If you have built integrations that rely on JSON-P, you can override this by setting the
atlassian.allow.jsonp
system property totrue
.
Regards,
Marlon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Unless there is a hidden backdoor in JIRA when using JSONP it's pretty stupid to disable it and blame it on better security.
Your explanation:
it is possible for an attacker use this to view information in a JIRA instance that they do not have permission to see.
The JSONP implementation in JIRA still requires you to have a valid user to access it. And the ONLY language that is affected by disabling JSONP is JavaScript in the browser. And if I was going to use brute force against the REST-API I can still use any other language in the world to do it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Karl, JSONP is vulnerable to cross-site request forgery. A malicious site can embed a set of JSONP calls to JIRA, and merely by getting you to visit their site, obtain full access to all the data accessible by your user in JIRA. There's more information on the JSONP Wikipedia article.
We aim to make our default configurations as secure as possible, so it was disabled in our products recently. If you're using an internal instance of JIRA and you have a known trusted group of users (or data that isn't important), enabling this flag is a good workaround.
The best alternative we'd like to add for simple scripts is support for cross-origin AJAX (CORS), as noted by Marlon below. OAuth is available already, but it can be quite complex to implement, depending on what language and tooling you're using to access our APIs.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
*Talking with egg on my face* I have later learned about CSRF and I now understand why JSON-P is so bad. But we had already sunk quite a bit of time and resources into plugins that use JSON-P, so we had to delay upgrading JIRA. I understand why you guys did it, but I still mean that it would have been a better aproach to make CORS avaiable before you diactivated JSON-P.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I'll quote Michael Knight's comment on that other question:
The recommended alternative method is to use OAuth (see an example doc and some other examples). We are also looking at CORS, although this is not complete yet (e.g. JRA-30371 ).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.