Ajax: Avoid CSP errors in the script transport for async requests

Until now, the AJAX script transport only used a script tag to load scripts
for cross-domain requests or ones with `scriptAttrs` set. This commit makes
it also used for all async requests to avoid CSP errors arising from usage
of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors
as it uses the AJAX script transport under the hood.

For sync requests such a change is impossible and that's what `jQuery._evalUrl`
uses. Fixing that is tracked in gh-1895.

The commit also makes other type of requests using the script tag version of the
script transport set its type to "GET", namely async scripts & ones with
`scriptAttrs` set in addition to the existing cross-domain ones.

Fixes gh-3969
Closes gh-4763

1 files changed, 25 insertions, 0 deletions

diff --git a/test/data/csp-ajax-script.js b/test/data/csp-ajax-script.js
new file mode 100644
index 000000000..c6821a24e
--- /dev/null
+++ b/test/data/csp-ajax-script.js
@@ -0,0 +1,25 @@
+/* global startIframeTest */
+
+var timeoutId, type;
+
+function finalize() {
+	startIframeTest( type, window.downloadedScriptCalled );
+}
+
+timeoutId = setTimeout( function() {
+	finalize();
+}, 1000 );
+
+jQuery
+	.ajax( {
+		url: "csp-ajax-script-downloaded.js",
+		dataType: "script",
+		method: "POST",
+		beforeSend: function( _jqXhr, settings ) {
+			type = settings.type;
+		}
+	} )
+	.then( function() {
+		clearTimeout( timeoutId );
+		finalize();
+	} );