JSONP Requests ('callback' parameter) are Deprecated

JSONP Requests ('callback' parameter) are Deprecated

April 18, 2019
3:37 pm

akuchta

New Member

Members

Forum Posts: 2

Member Since:
April 15, 2019

Offline

JSONP Requests (‘callback’ parameter) are Deprecated

Some ThingSpeak users have reported issues accessing ThingSpeak feed data from their custom web pages. JavaScript code like the following no longer functions as expected:


$.getJSON(
  "https://api.thingspeak.com/channels/9/feeds/last.json?callback=?",
  function(data) { /*...*/ }
);
// This request fails with an HTTP response 422 Unprocessable Entity

This code uses a technique called JSONP to bypass the browser’s same-origin policy and get data from ThingSpeak. JSONP is no longer supported by the ThingSpeak API. JSONP has been superceded by Cross-Origin Resource Sharing (CORS) which can achieve the same desired result with better security.

If your code uses the 'callback' parameter in a request to 'api.thingspeak.com' these are the steps you need to perform to get the code working again:

Remove 'callback=?' from the URL.
For private channels, provide the read API key as part of the URL (e.g. '?api_key=READ_API_KEY'). Public channels do not require an API key.

Example

The example shows the fixed version of the code above:


$.getJSON(
  "https://api.thingspeak.com/channels/YOUR_CHANNEL_ID/feeds/last.json?api_key=YOUR_API_KEY"
  function(data) { /*...*/ }
);

April 19, 2019
9:02 am

Hgestel

New Member

Members

Forum Posts: 2

Member Since:
December 29, 2017

Offline

Works for me. removing "callback" in html script.
As the channels are public no API key nescasary.

Thanks

April 19, 2019
10:37 am

Serge

Silver

Members

Forum Posts: 7

Member Since:
February 26, 2018

Offline

akuchta said
If your code uses the 'callback' parameter in a request to 'api.thingspeak.com' these are the steps you need to perform to get the code working again:

Remove 'callback=?' from the URL.

For private channels, provide the read API key as part of the URL (e.g. '?api_key=READ_API_KEY'). Public channels do not require an API key.

Yell Unfortunately, your suggested CORS workaround does not work for local file:/// HTML files containing JavaScript because the origin: 'null' is not accepted by your server.
Instead, I will need to run either a local HTTP server or a proxy server. Both solutions actually increase the potential attack surface.

Access to XMLHttpRequest at 'https://www.thingspeak.com/channels/xxxxxxx/feed/last.json?key=XXXXXXXXXXXXXXXXXX' from origin 'null' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

April 19, 2019
12:56 pm

Serge

Silver

Members

Forum Posts: 7

Member Since:
February 26, 2018

Offline

I carefully read https://en.wikipedia.org/wiki/JSONP#Security_concerns to understand what the security issues with JSONP might be.
With all due respect, but I am absolutely convinced none of these concerns applies to ThingSpeak.com

It is not so that by injecting any JavaScript code a criminal agent were to gain any additional information.
Such an agent would by definition have gained access to the API key and hence everything there is to know.

The JSONP security concerns only apply to a setting where for example you are visiting the web application of your bank in a session.
There it is true that hijacking the session might reveal more information to the attacker.
As explained above, this situation does not apply to ThingSpeak.

To further demonstrate my point, I could simply create a universally accessible proxy server on AWS that serves ThingSpeak API requests to anybody in the world in JSONP.
Any attacker could do the same to circumvent this new CORS restriction.

You really have to come to terms with the fact that ThingSpeak IS a universal service and that the only security are its API keys.
This implies that the ThingSpeak API servers could be set to Access-Control-Allow-Origin: *

Using JSONP does not constitute any security issue for ThingSpeak.

This new CORS restriction is really rendering ThingSpeak unnecessarily difficult to use in a personal or academic setting.
If I am not mistaken, the latter group is one of your targeted customer groups.

PS: In the mean time, the *real* security issue of leaving write permissions open for reading remains unattended.
You really ought to set the right priorities there at ThingSpeak!

April 23, 2019
2:48 pm

turgo

Gold

Members

Forum Posts: 77

Member Since:
June 16, 2013

Offline

I removed the callback keyword, and now have the error:
Failed to load resource: Cross-origin redirection to https://thingspeak.com/channels/xxxx/feed/last.json?api_key=xxxxxxxxxxxxxxxx denied by Cross-Origin Resource Sharing policy: Origin http://myplace.frontier.com is not allowed by Access-Control-Allow-Origin.
What next?

April 23, 2019
7:16 pm

turgo

Gold

Members

Forum Posts: 77

Member Since:
June 16, 2013

Offline

Vinod said, "Try changing that to https://api.thingspeak.com/channels/xxxx/feed/last.json?api_key=xxxxxxxxxxxxxxxx
Note the insertion of 'api' in the domain name."

These small details are hard to catch. I was successful when I changed "www" to "api". Thanks for the help.

April 24, 2019
3:47 am

Serge

Silver

Members

Forum Posts: 7

Member Since:
February 26, 2018

Offline

turgo said
These small details are hard to catch. I was successful when I changed "www" to "api". Thanks for the help.

Yes indeed, turgo! Your remark resolved my issue.
Thank you very much!

Forum Timezone: America/New_York

Most Users Ever Online: 166

Currently Online:
30 Guest(s)

Currently Browsing this Page:
1 Guest(s)