JSONP Requests ('callback' parameter) are Deprecated | Announcements | Forum

The ThingSpeak community site has been upgraded to a new site. This site is currently in read-only mode. You can ask questions or post and read discussions on the new site.
Avatar

Please consider registering
Guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
sp_Search Search
Advanced Search
Advanced Search

— Forum Scope —





— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Search Search
Go to Bottom
sp_RankInfo
sp_Feed sp_TopicIcon
JSONP Requests ('callback' parameter) are Deprecated
No permission to create posts
April 18, 2019
3:37 pm
Avatar
akuchta
New Member
Members
Forum Posts: 2
Member Since:
April 15, 2019
sp_UserOfflineSmall Offline
Go to Top
1sp_EditHistory sp_Permalink sp_Print

JSONP Requests (‘callback’ parameter) are Deprecated

Some ThingSpeak users have reported issues accessing ThingSpeak feed data from their custom web pages. JavaScript code like the following no longer functions as expected:

$.getJSON(
  "https://api.thingspeak.com/channels/9/feeds/last.json?callback=?",
  function(data) { /*...*/ }
);
// This request fails with an HTTP response 422 Unprocessable Entity

This code uses a technique called JSONP to bypass the browser’s same-origin policy and get data from ThingSpeak. JSONP is no longer supported by the ThingSpeak API. JSONP has been superceded by Cross-Origin Resource Sharing (CORS) which can achieve the same desired result with better security.

If your code uses the 'callback' parameter in a request to 'api.thingspeak.com' these are the steps you need to perform to get the code working again:

  1. Remove 'callback=?' from the URL.
  2. For private channels, provide the read API key as part of the URL (e.g. '?api_key=READ_API_KEY'). Public channels do not require an API key.

Example

The example shows the fixed version of the code above:

$.getJSON(
  "https://api.thingspeak.com/channels/YOUR_CHANNEL_ID/feeds/last.json?api_key=YOUR_API_KEY"
  function(data) { /*...*/ }
);
April 19, 2019
9:02 am
Avatar
Hgestel
New Member
Members
Forum Posts: 2
Member Since:
December 29, 2017
sp_UserOfflineSmall Offline
Go to Top
2sp_Permalink sp_Print

Works for me. removing "callback" in html script.
As the channels are public no API key nescasary.

Thanks

April 19, 2019
10:37 am
Avatar
Serge

Silver
Members
Forum Posts: 7
Member Since:
February 26, 2018
sp_UserOfflineSmall Offline
sp_UserWebsite
Go to Top
3sp_Permalink sp_Print

akuchta said
If your code uses the 'callback' parameter in a request to 'api.thingspeak.com' these are the steps you need to perform to get the code working again:

  1. Remove 'callback=?' from the URL.
  2. For private channels, provide the read API key as part of the URL (e.g. '?api_key=READ_API_KEY'). Public channels do not require an API key.

Yell Unfortunately, your suggested CORS workaround does not work for local file:/// HTML files containing JavaScript because the origin: 'null' is not accepted by your server.
Instead, I will need to run either a local HTTP server or a proxy server. Both solutions actually increase the potential attack surface.

Access to XMLHttpRequest at 'https://www.thingspeak.com/channels/xxxxxxx/feed/last.json?key=XXXXXXXXXXXXXXXXXX' from origin 'null' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
April 19, 2019
12:56 pm
Avatar
Serge

Silver
Members
Forum Posts: 7
Member Since:
February 26, 2018
sp_UserOfflineSmall Offline
sp_UserWebsite
Go to Top
4sp_Permalink sp_Print

I carefully read https://en.wikipedia.org/wiki/JSONP#Security_concerns to understand what the security issues with JSONP might be.
With all due respect, but I am absolutely convinced none of these concerns applies to ThingSpeak.com

It is not so that by injecting any JavaScript code a criminal agent were to gain any additional information.
Such an agent would by definition have gained access to the API key and hence everything there is to know.

The JSONP security concerns only apply to a setting where for example you are visiting the web application of your bank in a session.
There it is true that hijacking the session might reveal more information to the attacker.
As explained above, this situation does not apply to ThingSpeak.

To further demonstrate my point, I could simply create a universally accessible proxy server on AWS that serves ThingSpeak API requests to anybody in the world in JSONP.
Any attacker could do the same to circumvent this new CORS restriction.

You really have to come to terms with the fact that ThingSpeak IS a universal service and that the only security are its API keys.
This implies that the ThingSpeak API servers could be set to Access-Control-Allow-Origin: *

Using JSONP does not constitute any security issue for ThingSpeak.

This new CORS restriction is really rendering ThingSpeak unnecessarily difficult to use in a personal or academic setting.
If I am not mistaken, the latter group is one of your targeted customer groups.

PS: In the mean time, the *real* security issue of leaving write permissions open for reading remains unattended.
You really ought to set the right priorities there at ThingSpeak!

April 23, 2019
2:48 pm
Avatar
turgo

Gold
Members
Forum Posts: 77
Member Since:
June 16, 2013
sp_UserOfflineSmall Offline
Go to Top
5sp_Permalink sp_Print

I removed the callback keyword, and now have the error:
Failed to load resource: Cross-origin redirection to https://thingspeak.com/channels/xxxx/feed/last.json?api_key=xxxxxxxxxxxxxxxx denied by Cross-Origin Resource Sharing policy: Origin http://myplace.frontier.com is not allowed by Access-Control-Allow-Origin.
What next?

April 23, 2019
7:16 pm
Avatar
turgo

Gold
Members
Forum Posts: 77
Member Since:
June 16, 2013
sp_UserOfflineSmall Offline
Go to Top
6sp_Permalink sp_Print

Vinod said, "Try changing that to https://api.thingspeak.com/channels/xxxx/feed/last.json?api_key=xxxxxxxxxxxxxxxx
Note the insertion of 'api' in the domain name."

These small details are hard to catch. I was successful when I changed "www" to "api". Thanks for the help.

April 24, 2019
3:47 am
Avatar
Serge

Silver
Members
Forum Posts: 7
Member Since:
February 26, 2018
sp_UserOfflineSmall Offline
sp_UserWebsite
Go to Top
7sp_Permalink sp_Print

turgo said
These small details are hard to catch. I was successful when I changed "www" to "api". Thanks for the help.  

Yes indeed, turgo! Your remark resolved my issue.
Thank you very much!

June 16, 2019
5:14 am
Avatar
easydoor
New Member
Members
Forum Posts: 4
Member Since:
June 7, 2019
sp_UserOfflineSmall Offline
Go to Top
8sp_Permalink sp_Print

Thx for explanation..I solved autoupdate the graphs.

No permission to create posts
sp_Feed
Go to top
Forum Timezone: America/New_York

Most Users Ever Online: 166

Currently Online:
32 Guest(s)

Currently Browsing this Page:
2 Guest(s)

Top Posters:

rw950431: 272

Vinod: 240

piajola: 95

turgo: 70

vespapierre: 63

Adarsh_Murthy: 62

Member Stats:

Guest Posters: 1

Members: 8665

Moderators: 1

Admins: 2

Forum Stats:

Groups: 3

Forums: 14

Topics: 1600

Posts: 5760

Newest Members:

Advantagetreeexperts, laundrydaddyuk, techhhelp5, ken, tran, huldacormier

Moderators: cstapels: 460

Administrators: Hans: 405, lee: 457