Problem/Motivation
When creating a Rest Export display view of entities or fields, JSONP callback is ignored, what causes that you can't create a view that exposes JSONP for external sites to consume.
See http://en.wikipedia.org/wiki/JSONP for more info.
Proposed resolution
Use JsonResponse for these use cases and set the callback established in the resquest.
How to test
curl --request GET "http://drupal.d8/node?_format=json&callback=x"
and
curl --request GET "http://drupal.d8/node/251?_format=json&callback=x"
Remaining tasks
Add test.
Decide what parameter to reserve. Is 'callback' and 'jsonp' enough?
User interface changes
API changes
Original report by [andrea.paiola]
If I call a REST Export View with JSONP, for example
drupal/node.json?callback=CALLBACKNAME
the output is equal to drupal/node.json
The JSONP callback is not managed.
In a REST Export View I think that should be handled also the JSONP callback via setCallback.
$this->request->get('callback') is valorized to CALLBACKNAME, maybe is useful.
Comment | File | Size | Author |
---|---|---|---|
#31 | 2132779-31.patch | 2.58 KB | amateescu |
#30 | interdiff.txt | 2.1 KB | amateescu |
#30 | 2132779-30.patch | 2.66 KB | amateescu |
#22 | jsonp_callback_js-2132779-22.diff | 2.13 KB | lookitscook |
#18 | jsonp_callback_is-2132779-18.patch | 1.82 KB | jtwalters |
Comments
Comment #1
clemens.tolboom@andrea.paiola can you please add some pointers to specs etc plus
Please update the issue summary by applying the template from http://drupal.org/node/1155816.
Comment #2
pcambraComment #3
pcambraHere's the piece of code that I've used for testing this problem in RestExport.php
Comment #4
clemens.tolboomSee http://en.wikipedia.org/wiki/JSONP
This needs handling single entities like node/1 too.
As this is a feature request I'm not sure we will get this into 8.0.x or should we declare this a bug?
I've created a patch based on #3 @pcambra why didn't you?
Comment #6
pcambraI was going to tomorrow, lack of time :). Was working on #2396803: Remove unused test view in rest module and #2396253: Respect format configuration on REST views display today.
Agreed. I'll try to take a look to that.
Comment #7
dawehnerLeft over debug statement.
What about using something like
which seems easier to read?
Comment #8
pcambraThanks for the review @dawehner!
Here's a patch taking into account #7
Comment #9
dawehnerLet's inject the 'renderer' service and use it here ... drupal_render_root() itself is deprecated already.
Comment #10
pcambraAnother take fixing #9.
Had a chat with @dawehner on IRC about the entity resource JSONP. EntityResource uses ResourceResponse that has nothing special to do with json and all end up in RequestHandler where the response is encoded without taking into account a callback. From RequestHandler->handle()
Daniel suggests that we could add an event listener to catch the request and check if it's jsonp to replace the Response by a JsonResponse at that point but that might result in losing some information about the request. Maybe this belongs to another issue just for the entity resources and keep this one for views.
Comment #12
LewisNymanThis seems fixed, but I can't figure out when. Feel free to reopen.
Comment #13
jtwalters CreditAttribution: jtwalters commentedThis seems to be a real ongoing issue. Re-opening.
Comment #14
jtwalters CreditAttribution: jtwalters commentedI'm not too familiar with views in D8 but this patch I created solves the problem for me. Not sure if this is the best way to handle it.
Comment #15
jtwalters CreditAttribution: jtwalters commentedComment #18
jtwalters CreditAttribution: jtwalters commentedRe-rolled the patch with an "isset" check.
Comment #19
jtwalters CreditAttribution: jtwalters commentedComment #20
dawehnerWe should at least add some form of testing here
Comment #21
clemens.tolboomThis will not work as we cache requests based on _format.
Running
gives both plain JSON.
I failed to get
curl --request GET 'http://drupal.d8:8080/node/1?_format=json&callback=x'
which should be another issue I guess.Comment #22
lookitscook CreditAttribution: lookitscook at ZEBRADOG commentedAdding "url.query_args:callback" to the cache contexts resolved caching issue. Unsure if this is the best method to add context, but it worked for me:
$build['#cache']['contexts'][] = "url.query_args:callback";
Comment #23
lookitscook CreditAttribution: lookitscook at ZEBRADOG commentedComment #25
Wim LeersThe cache context is set here, but the callback is being specified elsewhere.
This is where the callback is being added. Therefore this is where the cache context should be added.
This makes it much easier to maintain in the long term.
… but actually even that is not enough, as you can tell because of the test failures. Due to the fact that Views has its own render pipeline and we want to be able to cache views efficiently, it's the responsibility of Views handlers/plugins to specify cacheability metadata ahead of time even. So, you'll want to make
RestExport
implementCacheableDependencyInterface
. See\Drupal\user\Plugin\views\access\Permission()
for an example.Comment #26
Wim LeersComment #28
Wim Leers#1869548: Opt-in CORS support is RTBC, which further reduces the need for this. Remember, JSONP is read-only, CORS is not.
Comment #30
amateescu CreditAttribution: amateescu commentedThis should do it.
Comment #31
amateescu CreditAttribution: amateescu commentedAnd a reroll for 8.3.x.
Comment #33
pcambraComment #34
Wim LeersStill needs tests. Other than that, looks good!
Comment #36
Wim LeersComment #37
Wim LeersActually, with only 10 followers on this issue, 8 of which are commenters on this issue… I think there's so little interest in this feature that it's simply not worth our time.
Also let's not forget that JSONP was invented as a work-around for CORS restrictions. So this would have made sense in 2013, when this issue was first created, but not today, in 2017.
And, quoting https://en.wikipedia.org/wiki/JSONP:
So this would need security review too!
As of Drupal 8.2.0, we have opt-in CORS support: https://www.drupal.org/node/2715637. So, that even further reduces the need for this feature.
Therefore, closing this.