aboutsummaryrefslogtreecommitdiffstats
path: root/test/data
diff options
context:
space:
mode:
authorMichał Gołębiowski-Owczarek <m.goleb@gmail.com>2020-08-25 21:28:30 +0200
committerGitHub <noreply@github.com>2020-08-25 21:28:30 +0200
commit07a8e4a177550025c1a08d7ac754839733943f55 (patch)
tree444876e30f76d94ff10aa7b637a055f3216a23ca /test/data
parent82b87f6f0e45ca4e717b4e3a4a20a592709a099f (diff)
downloadjquery-07a8e4a177550025c1a08d7ac754839733943f55.tar.gz
jquery-07a8e4a177550025c1a08d7ac754839733943f55.zip
Ajax: Avoid CSP errors in the script transport for async requests
Until now, the AJAX script transport only used a script tag to load scripts for cross-domain requests or ones with `scriptAttrs` set. This commit makes it also used for all async requests to avoid CSP errors arising from usage of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors as it uses the AJAX script transport under the hood. For sync requests such a change is impossible and that's what `jQuery._evalUrl` uses. Fixing that is tracked in gh-1895. The commit also makes other type of requests using the script tag version of the script transport set its type to "GET", namely async scripts & ones with `scriptAttrs` set in addition to the existing cross-domain ones. Fixes gh-3969 Closes gh-4763
Diffstat (limited to 'test/data')
-rw-r--r--test/data/csp-ajax-script-downloaded.js1
-rw-r--r--test/data/csp-ajax-script.html13
-rw-r--r--test/data/csp-ajax-script.js25
-rw-r--r--test/data/mock.php10
4 files changed, 45 insertions, 4 deletions
diff --git a/test/data/csp-ajax-script-downloaded.js b/test/data/csp-ajax-script-downloaded.js
new file mode 100644
index 000000000..4bd46cb65
--- /dev/null
+++ b/test/data/csp-ajax-script-downloaded.js
@@ -0,0 +1 @@
+window.downloadedScriptCalled = true;
diff --git a/test/data/csp-ajax-script.html b/test/data/csp-ajax-script.html
new file mode 100644
index 000000000..e3e750727
--- /dev/null
+++ b/test/data/csp-ajax-script.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+ <title>jQuery.ajax() - script, CSP script-src compat (gh-3969)</title>
+ <script src="../jquery.js"></script>
+ <script src="iframeTest.js"></script>
+ <script src="csp-ajax-script.js"></script>
+</head>
+<body>
+ <p>CSP Test Page</p>
+</body>
+</html>
diff --git a/test/data/csp-ajax-script.js b/test/data/csp-ajax-script.js
new file mode 100644
index 000000000..c6821a24e
--- /dev/null
+++ b/test/data/csp-ajax-script.js
@@ -0,0 +1,25 @@
+/* global startIframeTest */
+
+var timeoutId, type;
+
+function finalize() {
+ startIframeTest( type, window.downloadedScriptCalled );
+}
+
+timeoutId = setTimeout( function() {
+ finalize();
+}, 1000 );
+
+jQuery
+ .ajax( {
+ url: "csp-ajax-script-downloaded.js",
+ dataType: "script",
+ method: "POST",
+ beforeSend: function( _jqXhr, settings ) {
+ type = settings.type;
+ }
+ } )
+ .then( function() {
+ clearTimeout( timeoutId );
+ finalize();
+ } );
diff --git a/test/data/mock.php b/test/data/mock.php
index a34e8f5ac..b76fd521c 100644
--- a/test/data/mock.php
+++ b/test/data/mock.php
@@ -195,22 +195,24 @@ QUnit.assert.ok( true, "mock executed");';
}
protected function cspFrame( $req ) {
- // This is CSP only for browsers with "Content-Security-Policy" header support
- // i.e. no old WebKit or old Firefox
header( "Content-Security-Policy: default-src 'self'; report-uri ./mock.php?action=cspLog" );
header( 'Content-type: text/html' );
echo file_get_contents( __DIR__ . '/csp.include.html' );
}
protected function cspNonce( $req ) {
- // This is CSP only for browsers with "Content-Security-Policy" header support
- // i.e. no old WebKit or old Firefox
$test = $req->query['test'] ? '-' . $req->query['test'] : '';
header( "Content-Security-Policy: script-src 'nonce-jquery+hardcoded+nonce'; report-uri ./mock.php?action=cspLog" );
header( 'Content-type: text/html' );
echo file_get_contents( __DIR__ . '/csp-nonce' . $test . '.html' );
}
+ protected function cspAjaxScript( $req ) {
+ header( "Content-Security-Policy: script-src 'self'; report-uri /base/test/data/mock.php?action=cspLog" );
+ header( 'Content-type: text/html' );
+ echo file_get_contents( __DIR__ . '/csp-ajax-script.html' );
+ }
+
protected function cspLog( $req ) {
file_put_contents( $this->cspFile, 'error' );
}