OpenRefine icon indicating copy to clipboard operation
OpenRefine copied to clipboard
verified publisher icon OpenRefine

Drop JSONP support for reconciliation APIs

Open Abbe98 opened this issue 7 months ago • 1 comments

Users should not be allowed to give remote services injection/JSONP capabilities given the danger. Today someone might just add a malicious service for a popular database to the testbench and only provide JSONP support and then all users trying it will be compromised without warning.

Proposed solution

Only three services on the test bench which do not support CORS supports JSONP so I suggest we drop support.

Alternatives considered

#7185 would allow us to keep supporting non-CORS enabled services while dropping JSONP. I personally don't think we should wait.

Additional context

Abbe98 avatar May 06 '25 05:05 Abbe98

I count 6 services, the most prominent of which is VIVO, but it's still something we should consider.

tfmorris avatar May 20 '25 03:05 tfmorris