3:37 pm

April 15, 2019

JSONP Requests (‘callback’ parameter) are Deprecated
Some ThingSpeak users have reported issues accessing ThingSpeak feed data from their custom web pages. JavaScript code like the following no longer functions as expected:
$.getJSON( "https://api.thingspeak.com/channels/9/feeds/last.json?callback=?", function(data) { /*...*/ } ); // This request fails with an HTTP response 422 Unprocessable Entity
This code uses a technique called JSONP to bypass the browser’s same-origin policy and get data from ThingSpeak. JSONP is no longer supported by the ThingSpeak API. JSONP has been superceded by Cross-Origin Resource Sharing (CORS) which can achieve the same desired result with better security.
If your code uses the 'callback' parameter in a request to 'api.thingspeak.com' these are the steps you need to perform to get the code working again:
- Remove 'callback=?' from the URL.
- For private channels, provide the read API key as part of the URL (e.g. '?api_key=READ_API_KEY'). Public channels do not require an API key.
Example
The example shows the fixed version of the code above:
$.getJSON( "https://api.thingspeak.com/channels/YOUR_CHANNEL_ID/feeds/last.json?api_key=YOUR_API_KEY" function(data) { /*...*/ } );
9:02 am

December 29, 2017

akuchta said
If your code uses the 'callback' parameter in a request to 'api.thingspeak.com' these are the steps you need to perform to get the code working again:
- Remove 'callback=?' from the URL.
- For private channels, provide the read API key as part of the URL (e.g. '?api_key=READ_API_KEY'). Public channels do not require an API key.
Unfortunately, your suggested CORS workaround does not work for local file:/// HTML files containing JavaScript because the origin: 'null' is not accepted by your server.
Instead, I will need to run either a local HTTP server or a proxy server. Both solutions actually increase the potential attack surface.
Access to XMLHttpRequest at 'https://www.thingspeak.com/channels/xxxxxxx/feed/last.json?key=XXXXXXXXXXXXXXXXXX' from origin 'null' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
I carefully read https://en.wikipedia.org/wiki/JSONP#Security_concerns to understand what the security issues with JSONP might be.
With all due respect, but I am absolutely convinced none of these concerns applies to ThingSpeak.com
It is not so that by injecting any JavaScript code a criminal agent were to gain any additional information.
Such an agent would by definition have gained access to the API key and hence everything there is to know.
The JSONP security concerns only apply to a setting where for example you are visiting the web application of your bank in a session.
There it is true that hijacking the session might reveal more information to the attacker.
As explained above, this situation does not apply to ThingSpeak.
To further demonstrate my point, I could simply create a universally accessible proxy server on AWS that serves ThingSpeak API requests to anybody in the world in JSONP.
Any attacker could do the same to circumvent this new CORS restriction.
You really have to come to terms with the fact that ThingSpeak IS a universal service and that the only security are its API keys.
This implies that the ThingSpeak API servers could be set to Access-Control-Allow-Origin: *
Using JSONP does not constitute any security issue for ThingSpeak.
This new CORS restriction is really rendering ThingSpeak unnecessarily difficult to use in a personal or academic setting.
If I am not mistaken, the latter group is one of your targeted customer groups.
PS: In the mean time, the *real* security issue of leaving write permissions open for reading remains unattended.
You really ought to set the right priorities there at ThingSpeak!
2:48 pm


Gold
June 16, 2013

I removed the callback keyword, and now have the error:
Failed to load resource: Cross-origin redirection to https://thingspeak.com/channels/xxxx/feed/last.json?api_key=xxxxxxxxxxxxxxxx denied by Cross-Origin Resource Sharing policy: Origin http://myplace.frontier.com is not allowed by Access-Control-Allow-Origin.
What next?
7:16 pm


Gold
June 16, 2013

Vinod said, "Try changing that to https://api.thingspeak.com/channels/xxxx/feed/last.json?api_key=xxxxxxxxxxxxxxxx
Note the insertion of 'api' in the domain name."
These small details are hard to catch. I was successful when I changed "www" to "api". Thanks for the help.
Most Users Ever Online: 166
Currently Online:
32 Guest(s)
Currently Browsing this Page:
2 Guest(s)
Top Posters:
rw950431: 272
Vinod: 240
piajola: 95
turgo: 70
vespapierre: 63
Adarsh_Murthy: 62
Member Stats:
Guest Posters: 1
Members: 8665
Moderators: 1
Admins: 2
Forum Stats:
Groups: 3
Forums: 14
Topics: 1600
Posts: 5760
Newest Members:
Advantagetreeexperts, laundrydaddyuk, techhhelp5, ken, tran, huldacormierModerators: cstapels: 460
Administrators: Hans: 405, lee: 457