Avoid jsonp #5040
Comments
|
Hmm, I don't think there is a reason - @1ec5 can we just use d3.json to fetch these? |
bhousel
added
field
|
Looks like there's some prior discussion on this topic: #2680 (comment) |
|
We should get CORS enabled on the specific read-only endpoints we're using, or come to the conclusion that WMF doesn't want their services used by external sites and do something from data dumps. |
Sure, sounds good to me. (For the Wikidata field, I just followed the example of the preexisting Wikipedia field, which also used JSONP.)
The |
|
Hmm @tomhughes I wonder if this would be an issue for #5050 - it also seems to use JSONP. |
|
Well that will certainly need a new CSP rule, which is fine. Allowing XHR is preferable to to JSONP though if it's possible. |
|
There are a bunch of other uses of JSONP in the iD codebase that we should try to replace with XHR requests if possible.. I'm updating this issue to list them here:
|
|
For most uses limited to reading data from Mediawiki APIs adding CORS should be as easy as adding the Example: |
|
This was mostly done in #5123 - we can't replace the Bing Streetside calls right now, but will keep it in mind for the future. |
Is there a reason why the wikipedia and wikidata API access uses jsonp rather than just fetching the JSON data with an XHR request?
The reason I ask is that I'm hoping to enable Content-Security-Policy enforcement for www.openstreetmap.org soon and as it stands I've had to enable script evaluation for *.wikipedia.org and www.wikidata.org but it's not clear that is really necessary.
The text was updated successfully, but these errors were encountered: