aboutsummaryrefslogtreecommitdiffstats
path: root/src/ajax
diff options
context:
space:
mode:
authorMichał Gołębiowski-Owczarek <m.goleb@gmail.com>2020-08-25 21:28:30 +0200
committerGitHub <noreply@github.com>2020-08-25 21:28:30 +0200
commit07a8e4a177550025c1a08d7ac754839733943f55 (patch)
tree444876e30f76d94ff10aa7b637a055f3216a23ca /src/ajax
parent82b87f6f0e45ca4e717b4e3a4a20a592709a099f (diff)
downloadjquery-07a8e4a177550025c1a08d7ac754839733943f55.tar.gz
jquery-07a8e4a177550025c1a08d7ac754839733943f55.zip
Ajax: Avoid CSP errors in the script transport for async requests
Until now, the AJAX script transport only used a script tag to load scripts for cross-domain requests or ones with `scriptAttrs` set. This commit makes it also used for all async requests to avoid CSP errors arising from usage of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors as it uses the AJAX script transport under the hood. For sync requests such a change is impossible and that's what `jQuery._evalUrl` uses. Fixing that is tracked in gh-1895. The commit also makes other type of requests using the script tag version of the script transport set its type to "GET", namely async scripts & ones with `scriptAttrs` set in addition to the existing cross-domain ones. Fixes gh-3969 Closes gh-4763
Diffstat (limited to 'src/ajax')
-rw-r--r--src/ajax/script.js10
1 files changed, 7 insertions, 3 deletions
diff --git a/src/ajax/script.js b/src/ajax/script.js
index 22dc29183..54bfecf2e 100644
--- a/src/ajax/script.js
+++ b/src/ajax/script.js
@@ -32,7 +32,10 @@ jQuery.ajaxPrefilter( "script", function( s ) {
if ( s.cache === undefined ) {
s.cache = false;
}
- if ( s.crossDomain ) {
+
+ // These types of requests are handled via a script tag
+ // so force their methods to GET.
+ if ( s.crossDomain || s.async || s.scriptAttrs ) {
s.type = "GET";
}
} );
@@ -40,8 +43,9 @@ jQuery.ajaxPrefilter( "script", function( s ) {
// Bind script tag hack transport
jQuery.ajaxTransport( "script", function( s ) {
- // This transport only deals with cross domain or forced-by-attrs requests
- if ( s.crossDomain || s.scriptAttrs ) {
+ // This transport only deals with async, cross domain or forced-by-attrs requests.
+ // Sync requests remain handled differently to preserve strict script ordering.
+ if ( s.crossDomain || s.async || s.scriptAttrs ) {
var script, callback;
return {
send: function( _, complete ) {