Description

Currently jQuery.ajax withdataType: 'json' gets automatically converted to a jsonp request unless one also specifiesjsonp: false. Today the preferred way of interacting with a cross-domain backend is CORS which has been supported by browsers for a long time (the only roadblock is if someone requires IE 9 support).

Auto-promoting JSON requests to JSONP ones introduces a security issue as the developer may be unaware they're not just downloading data but executing code from a remote domain.

The first step in the migration could be adding code to Migrate that would require requests withdataType: 'json' to always specifyjsonp: truejsonp: callbackName orjsonp: false.

Link to test case