source.dussan.org Git - jquery.git/commit

author	Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
	Tue, 25 Aug 2020 19:28:30 +0000 (21:28 +0200)
committer	GitHub <noreply@github.com>
	Tue, 25 Aug 2020 19:28:30 +0000 (21:28 +0200)
commit	07a8e4a177550025c1a08d7ac754839733943f55
tree	444876e30f76d94ff10aa7b637a055f3216a23ca	tree \| snapshot
parent	82b87f6f0e45ca4e717b4e3a4a20a592709a099f	commit \| diff

Ajax: Avoid CSP errors in the script transport for async requests

Until now, the AJAX script transport only used a script tag to load scripts
for cross-domain requests or ones with `scriptAttrs` set. This commit makes
it also used for all async requests to avoid CSP errors arising from usage
of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors
as it uses the AJAX script transport under the hood.

For sync requests such a change is impossible and that's what `jQuery._evalUrl`
uses. Fixing that is tracked in gh-1895.

The commit also makes other type of requests using the script tag version of the
script transport set its type to "GET", namely async scripts & ones with
`scriptAttrs` set in addition to the existing cross-domain ones.

Fixes gh-3969
Closes gh-4763

src/ajax/script.js		diff \| blob \| history
test/data/csp-ajax-script-downloaded.js	[new file with mode: 0644]	blob
test/data/csp-ajax-script.html	[new file with mode: 0644]	blob
test/data/csp-ajax-script.js	[new file with mode: 0644]	blob
test/data/mock.php		diff \| blob \| history
test/middleware-mockserver.js		diff \| blob \| history
test/unit/ajax.js		diff \| blob \| history