Is the JIRA REST API still serving JSONP

This page provides some futher information regarding this and also provides a workaround for re-enabling JSON-P in JIRA: https://developer.atlassian.com/display/JIRADEV/Preparing+for+JIRA+6.0#PreparingforJIRA6.0-JSON-Pnolongersupported

If you have built integrations that rely on JSON-P, you can override this by setting the atlassian.allow.jsonp system property to true.

Regards,
Marlon

Unless there is a hidden backdoor in JIRA when using JSONP it's pretty stupid to disable it and blame it on better security.

Your explanation:

it is possible for an attacker use this to view information in a JIRA instance that they do not have permission to see.

The JSONP implementation in JIRA still requires you to have a valid user to access it. And the ONLY language that is affected by disabling JSONP is JavaScript in the browser. And if I was going to use brute force against the REST-API I can still use any other language in the world to do it.

Karl, JSONP is vulnerable to cross-site request forgery. A malicious site can embed a set of JSONP calls to JIRA, and merely by getting you to visit their site, obtain full access to all the data accessible by your user in JIRA. There's more information on the JSONP Wikipedia article.

We aim to make our default configurations as secure as possible, so it was disabled in our products recently. If you're using an internal instance of JIRA and you have a known trusted group of users (or data that isn't important), enabling this flag is a good workaround.

The best alternative we'd like to add for simple scripts is support for cross-origin AJAX (CORS), as noted by Marlon below. OAuth is available already, but it can be quite complex to implement, depending on what language and tooling you're using to access our APIs.

*Talking with egg on my face* I have later learned about CSRF and I now understand why JSON-P is so bad. But we had already sunk quite a bit of time and resources into plugins that use JSON-P, so we had to delay upgrading JIRA. I understand why you guys did it, but I still mean that it would have been a better aproach to make CORS avaiable before you diactivated JSON-P.