Ajax: Avoid CSP errors in the script transport for async requests - jquery.git - jQuery JavaScript Library: https://github.com/jquery/jquery

index : jquery.git

jQuery JavaScript Library: https://github.com/jquery/jquery

www-data

about summary refs log tree commit diff stats

path: root/src/ajax.js

diff options

author	Michał Gołębiowski-Owczarek <m.goleb@gmail.com>	2020-08-25 21:28:30 +0200
committer	GitHub <noreply@github.com>	2020-08-25 21:28:30 +0200
commit	07a8e4a177550025c1a08d7ac754839733943f55 (patch)
tree	444876e30f76d94ff10aa7b637a055f3216a23ca /src/ajax.js
parent	82b87f6f0e45ca4e717b4e3a4a20a592709a099f (diff)
download	jquery-07a8e4a177550025c1a08d7ac754839733943f55.tar.gz jquery-07a8e4a177550025c1a08d7ac754839733943f55.zip

Ajax: Avoid CSP errors in the script transport for async requests

Until now, the AJAX script transport only used a script tag to load scripts for cross-domain requests or ones with `scriptAttrs` set. This commit makes it also used for all async requests to avoid CSP errors arising from usage of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors as it uses the AJAX script transport under the hood. For sync requests such a change is impossible and that's what `jQuery._evalUrl` uses. Fixing that is tracked in gh-1895. The commit also makes other type of requests using the script tag version of the script transport set its type to "GET", namely async scripts & ones with `scriptAttrs` set in addition to the existing cross-domain ones. Fixes gh-3969 Closes gh-4763

Diffstat (limited to 'src/ajax.js')

0 files changed, 0 insertions, 0 deletions