aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorMichał Gołębiowski-Owczarek <m.goleb@gmail.com>2020-09-01 00:02:44 +0200
committerGitHub <noreply@github.com>2020-09-01 00:02:44 +0200
commit68b4ec59c8f290d680e9db4bc980655660817dd1 (patch)
tree80ecdf72cee717005e10c8af974d9388fb83e014 /src
parent1a5fff4c169dbaa2df72c656868bcf60ed4413d0 (diff)
downloadjquery-68b4ec59c8f290d680e9db4bc980655660817dd1.tar.gz
jquery-68b4ec59c8f290d680e9db4bc980655660817dd1.zip
Ajax: Make responseJSON work for erroneous same-domain JSONP requests
Don't use a script tag for JSONP requests unless for cross-domain requests or if scriptAttrs are provided. This makes the `responseJSON` property available in JSONP error callbacks. This fixes a regression from jQuery 3.5.0 introduced in gh-4379 which made erroneous script responses to not be executed to follow native behavior. The 3.x-stable branch doesn't need this fix as it doesn't use script tags for regular async requests. Closes gh-4778 Ref gh-4771 Ref gh-4773 Ref gh-4379
Diffstat (limited to 'src')
-rw-r--r--src/ajax/script.js23
1 files changed, 18 insertions, 5 deletions
diff --git a/src/ajax/script.js b/src/ajax/script.js
index 54bfecf2e..203ea08e0 100644
--- a/src/ajax/script.js
+++ b/src/ajax/script.js
@@ -3,6 +3,22 @@ import document from "../var/document.js";
import "../ajax.js";
+function canUseScriptTag( s ) {
+
+ // A script tag can only be used for async, cross domain or forced-by-attrs requests.
+ // Sync requests remain handled differently to preserve strict script ordering.
+ return s.crossDomain || s.scriptAttrs ||
+
+ // When dealing with JSONP (`s.dataTypes` include "json" then)
+ // don't use a script tag so that error responses still may have
+ // `responseJSON` set. Continue using a script tag for JSONP requests that:
+ // * are cross-domain as AJAX requests won't work without a CORS setup
+ // * have `scriptAttrs` set as that's a script-only functionality
+ // Note that this means JSONP requests violate strict CSP script-src settings.
+ // A proper solution is to migrate from using JSONP to a CORS setup.
+ ( s.async && jQuery.inArray( "json", s.dataTypes ) < 0 );
+}
+
// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
jQuery.ajaxPrefilter( function( s ) {
if ( s.crossDomain ) {
@@ -35,17 +51,14 @@ jQuery.ajaxPrefilter( "script", function( s ) {
// These types of requests are handled via a script tag
// so force their methods to GET.
- if ( s.crossDomain || s.async || s.scriptAttrs ) {
+ if ( canUseScriptTag( s ) ) {
s.type = "GET";
}
} );
// Bind script tag hack transport
jQuery.ajaxTransport( "script", function( s ) {
-
- // This transport only deals with async, cross domain or forced-by-attrs requests.
- // Sync requests remain handled differently to preserve strict script ordering.
- if ( s.crossDomain || s.async || s.scriptAttrs ) {
+ if ( canUseScriptTag( s ) ) {
var script, callback;
return {
send: function( _, complete ) {