Drop the json-to-jsonp auto-promoting logic

[mgol]

Description

Currently jQuery.ajax with dataType: 'json' gets automatically converted to a jsonp request unless one also specifies jsonp: false. Today the preferred way of interacting with a cross-domain backend is CORS which has been supported by browsers for a long time (the only roadblock is if someone requires IE 9 support).

Auto-promoting JSON requests to JSONP ones introduces a security issue as the developer may be unaware they're not just downloading data but executing code from a remote domain.

The first step in the migration could be adding code to Migrate that would require requests with dataType: 'json' to always specify jsonp: true jsonp: callbackName or jsonp: false.

Link to test case

[Krinkle]

I've not seen the promotion behaviour you describe. The following explicit pattern is what I've popularised and encouraged within Wikimedia:

$.ajax({
  url: 'https://remote.example.org/rest/foo',
  dataType: $.support.cors ? 'json' : 'jsonp'
});

Will this continue to use CORS+JSON for modern browsers, using JSONP as fallback only - without requiring additional options to be passed? I'd really like to avoid having to also set jsonp: false (or jsonp: !$.support.cors)

[timmywil]

I don't think setting jsonp should be required. It can default to false.

[mgol]

PR: #4754