[Distutils] JSONP: Deprecation and Intent to Remove

Donald Stufft donald at stufft.io
Thu Mar 19 09:15:55 CET 2015


> On Mar 19, 2015, at 4:12 AM, Paul Moore <p.f.moore at gmail.com> wrote:
> 
> On 19 March 2015 at 02:57, Donald Stufft <donald at stufft.io> wrote:
>> For awhile now PyPI has supported JSONP on the /pypi/*/json API to allow people
>> to access the JSON data in a cross origin request. JSONP is problematic psuedo
>> standard which has niggly edge cases which make it hard to fully secure.
>> Browsers have a much better standard through CORS to handle this use case.
>> 
>> As of now this endpoint has CORS enabled on it and any new or existing
>> consumers of this API should switch to using CORS instead of JSONP. Warehouse
>> will not be implementing the JSONP endpoint so when we switch PyPI to the
>> Warehouse code base anything still relying on JSONP will break.
> 
> For those of us who don't know (and are too lazy to google CORS :-))
> could you provide an example of how to replace uses of the JSON API?
> For example, a script I currently use has:
> 
> url = 'https://pypi.python.org/pypi/' + args.name
> req = requests.get(url + "/json")
> data = req.json()
> url = data['info'].get('home_page', url)
> 
> Thanks,
> Paul

If you’re using a script this doesn’t effect you, JSONP and CORS are two
methods for allowing the javascript on example.com to access a JSON URL on
example.net. They are ways of getting around the fact that the browser doesn't
generally allow cross origin requests.

JSONP is problematic for a variety of security reasons, and it exists primarily
as a hack to work around the fact that browsers didn't let you make HTTP
requests with javascript to another domain. CORS is the standard, supported,
and secure way of doing it. It's also a heck of a lot simpler.

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20150319/e8909c52/attachment.sig>


More information about the Distutils-SIG mailing list