5

I would like to enable existing MVC controllers (from ASP.NET Core/Kestrel server) to wrap messages as JSONP so they can be accessible cross-domain from browser. What are my options?

Karol Kolenda
  • 1,660
  • 2
  • 25
  • 37

1 Answers1

2

JSONP is pretty much deprecated, since most frameworks and servers support CORS, which makes JSONP obsolete (it doesn't work well with anything other then GET requests).

// ConfigureServices
        services.AddCors(options =>
        {
            options.AddPolicy("AnyOrigin", builder =>
            {
                builder
                    .AllowAnyOrigin()
                    .AllowAnyMethod();
            });
        });

// Configure
app.UseCors("AnyOrigin");

This will basically allow ajax call from any domain. If you need more fine-grained control over domains and actions, check out the official docs.

Tseng
  • 61,549
  • 15
  • 193
  • 205
  • 8
    this should not be the answer. It does not answer the question it says you should do something else which maybe helpful but not the answer. – Steve Aug 09 '18 at 20:50
  • 1
    @Steve: Read [What is the XY Problem](https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem) and read the **actual** question before commenting. It clearly states _so they can be accessible cross-domain from browser_ and JSONP is/was the wrong approach for that. Historically, before CORS it was the only way to do Cross-domain access from JavaScript, but has its limitations (see above, limited to GET requests). Today every major browser supports and understands CORS handlers and its the correct way to do cross-domain requests and also works with POST/PUT/DELETE requests – Tseng Aug 16 '18 at 07:13
  • 1
    I agree with @Steve here. The question was about Jsonp and the answer is about CORS. Who cares if jsonp is "Pretty much deprecated" when there are browsers out in the wild that don't fully support CORS. – Tyddlywink Dec 04 '19 at 18:50
  • @Tyddlywink: It's a typical XY Problem question, OP asking how to do B, when they should have asked A. The action question is _so they can be accessible cross-domain from browser_ and the correct answer is to use CORS, since JSONP has limitations, i.e. is limited to get request, forcing providers to make mutable get requests which on otherside are more suspectible to CSRF. FWIW: Pretty much **EVERY** browser released in the past 10 years does support CORS, see https://caniuse.com/#feat=cors. Or whats your use-case to support 20 year old browsers? No one using it – Tseng Dec 05 '19 at 01:16
  • @Tyddlywink: You seriously should get to the actual problem: Support unsupported browsers **is absurd**, no matter the requirements and that should be communicated with the people in charge. There is no **supported** browser out there which doesn't supports CORS, whats the point in discussing it? XP and older are all out of support for a couple of years already, every other OS doesn't have that issue and have updated browsers. That's as absurd as trying to support modern websites rendering on Amiga 500 or C64. "It's not an option" is not an option, for stuff unsupported for over a decade ago – Tseng Dec 05 '19 at 13:06
  • We are not talking here about a software or programming language problem (such as cobol or fortran languages being used in 50 years old financial system code base) or server code. Browsers are a user/consumer thing. The person who still uses WIndows 95-XP in their company, should simply get fired and cruizfied for having slept over 2 decades, missing to upgrade to anything recent, despite exactly knowing the support lifecycles. Whats next? Back to supporting WIndows 1.0? – Tseng Dec 05 '19 at 13:09
  • The real issue, and what you are failing to see, is that you didn't answer the question that was asked. Period. End of story. You chose to answer a completely different question. "What's the best way to do a cross domain ajax call?". If that had been the question I would have agreed with your answer. But it wasn't therefor I can't and won't. – Tyddlywink Dec 05 '19 at 15:41
  • @Tyddlywink: See [What is the XY problem?](https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem). The fact that the question was marked as solved, proves that the answer the one the OP was searching for and not was asking for. Go on read the link. Have a nice day. Just because the answer is not the one you'd **liked to hear**, doesn't mean its _incorrect_. However, feel free to add additional answers, that's what SO is for – Tseng Dec 05 '19 at 15:44
  • The core of the question is _...so they can be accessible cross-domain from browser. What are my options?_ with JSONP as the assumed solution, so it does exactly answer the question (author probably didn't know about CORS before asking the question since JSONP been used long times ago to solve similar issues before CORS existed) – Tseng Apr 06 '20 at 08:48
  • 1
    Came here looking for a solution to implement JSONP, because I am tasked with retrofitting an API using ASPNET.Core. I have no influence (ans neither has my customer) on the client apps which consume the API via JSONP. So not using JSONP is currently not an option. The question title suggested that I could find a solution here, which I unfortunately don't. – MartinStettner Apr 30 '20 at 13:23