diff options
author | Michał Gołębiowski-Owczarek <m.goleb@gmail.com> | 2020-08-25 21:28:30 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-08-25 21:28:30 +0200 |
commit | 07a8e4a177550025c1a08d7ac754839733943f55 (patch) | |
tree | 444876e30f76d94ff10aa7b637a055f3216a23ca /src/ajax | |
parent | 82b87f6f0e45ca4e717b4e3a4a20a592709a099f (diff) | |
download | jquery-07a8e4a177550025c1a08d7ac754839733943f55.tar.gz jquery-07a8e4a177550025c1a08d7ac754839733943f55.zip |
Ajax: Avoid CSP errors in the script transport for async requests
Until now, the AJAX script transport only used a script tag to load scripts
for cross-domain requests or ones with `scriptAttrs` set. This commit makes
it also used for all async requests to avoid CSP errors arising from usage
of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors
as it uses the AJAX script transport under the hood.
For sync requests such a change is impossible and that's what `jQuery._evalUrl`
uses. Fixing that is tracked in gh-1895.
The commit also makes other type of requests using the script tag version of the
script transport set its type to "GET", namely async scripts & ones with
`scriptAttrs` set in addition to the existing cross-domain ones.
Fixes gh-3969
Closes gh-4763
Diffstat (limited to 'src/ajax')
-rw-r--r-- | src/ajax/script.js | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/src/ajax/script.js b/src/ajax/script.js index 22dc29183..54bfecf2e 100644 --- a/src/ajax/script.js +++ b/src/ajax/script.js @@ -32,7 +32,10 @@ jQuery.ajaxPrefilter( "script", function( s ) { if ( s.cache === undefined ) { s.cache = false; } - if ( s.crossDomain ) { + + // These types of requests are handled via a script tag + // so force their methods to GET. + if ( s.crossDomain || s.async || s.scriptAttrs ) { s.type = "GET"; } } ); @@ -40,8 +43,9 @@ jQuery.ajaxPrefilter( "script", function( s ) { // Bind script tag hack transport jQuery.ajaxTransport( "script", function( s ) { - // This transport only deals with cross domain or forced-by-attrs requests - if ( s.crossDomain || s.scriptAttrs ) { + // This transport only deals with async, cross domain or forced-by-attrs requests. + // Sync requests remain handled differently to preserve strict script ordering. + if ( s.crossDomain || s.async || s.scriptAttrs ) { var script, callback; return { send: function( _, complete ) { |