Hi everyone,
we have decided to deprecate the optional jsonp geocoding API parameter. The parameter will continue working for existing customers while we work with them to help them transition to a better solution.
Background
JSONP (JSON with Padding) is a technique for working with JSON (for example from an API like ours) in realtime in webpages. This technique made sense when we started OpenCage in 2014, but has now larely been supersceded by newer technologies likes CORS. Wikipedia provides a good references on the differences between JSONP and CORS.
One disadvantage of JSONP is that it has the potential to be abused if the server returning JSON starts returning other javascript.
Why the change?
Frankly we are tired of dealing with security researchers (see our security bounty program) who endlessly tell us JSONP is unsafe, despite the fact that in over a decade it has worked, and continues to work, without issue for our use case.
Still, the reality is this is a very marginal feature used by less than a handful of customers, and there are now better techniques to solve this use case.
Removing this parameter means one less thing to maintain, and one less feature for customers to have to understand.
What do you need to do?
If you were not using jsonp, nothing. If you are a customer using jsonp we will be in touch to discuss next steps.
Closing points
The OpenAPI spec for our geocoding API has been adjusted accordingly.
This change is listed in our public Change Log.
Happy geocoding,
Ed