diff options
author | Michał Gołębiowski-Owczarek <m.goleb@gmail.com> | 2020-08-25 21:28:30 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-08-25 21:28:30 +0200 |
commit | 07a8e4a177550025c1a08d7ac754839733943f55 (patch) | |
tree | 444876e30f76d94ff10aa7b637a055f3216a23ca /test/data | |
parent | 82b87f6f0e45ca4e717b4e3a4a20a592709a099f (diff) | |
download | jquery-07a8e4a177550025c1a08d7ac754839733943f55.tar.gz jquery-07a8e4a177550025c1a08d7ac754839733943f55.zip |
Ajax: Avoid CSP errors in the script transport for async requests
Until now, the AJAX script transport only used a script tag to load scripts
for cross-domain requests or ones with `scriptAttrs` set. This commit makes
it also used for all async requests to avoid CSP errors arising from usage
of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors
as it uses the AJAX script transport under the hood.
For sync requests such a change is impossible and that's what `jQuery._evalUrl`
uses. Fixing that is tracked in gh-1895.
The commit also makes other type of requests using the script tag version of the
script transport set its type to "GET", namely async scripts & ones with
`scriptAttrs` set in addition to the existing cross-domain ones.
Fixes gh-3969
Closes gh-4763
Diffstat (limited to 'test/data')
-rw-r--r-- | test/data/csp-ajax-script-downloaded.js | 1 | ||||
-rw-r--r-- | test/data/csp-ajax-script.html | 13 | ||||
-rw-r--r-- | test/data/csp-ajax-script.js | 25 | ||||
-rw-r--r-- | test/data/mock.php | 10 |
4 files changed, 45 insertions, 4 deletions
diff --git a/test/data/csp-ajax-script-downloaded.js b/test/data/csp-ajax-script-downloaded.js new file mode 100644 index 000000000..4bd46cb65 --- /dev/null +++ b/test/data/csp-ajax-script-downloaded.js @@ -0,0 +1 @@ +window.downloadedScriptCalled = true; diff --git a/test/data/csp-ajax-script.html b/test/data/csp-ajax-script.html new file mode 100644 index 000000000..e3e750727 --- /dev/null +++ b/test/data/csp-ajax-script.html @@ -0,0 +1,13 @@ +<!DOCTYPE html> +<html> +<head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + <title>jQuery.ajax() - script, CSP script-src compat (gh-3969)</title> + <script src="../jquery.js"></script> + <script src="iframeTest.js"></script> + <script src="csp-ajax-script.js"></script> +</head> +<body> + <p>CSP Test Page</p> +</body> +</html> diff --git a/test/data/csp-ajax-script.js b/test/data/csp-ajax-script.js new file mode 100644 index 000000000..c6821a24e --- /dev/null +++ b/test/data/csp-ajax-script.js @@ -0,0 +1,25 @@ +/* global startIframeTest */ + +var timeoutId, type; + +function finalize() { + startIframeTest( type, window.downloadedScriptCalled ); +} + +timeoutId = setTimeout( function() { + finalize(); +}, 1000 ); + +jQuery + .ajax( { + url: "csp-ajax-script-downloaded.js", + dataType: "script", + method: "POST", + beforeSend: function( _jqXhr, settings ) { + type = settings.type; + } + } ) + .then( function() { + clearTimeout( timeoutId ); + finalize(); + } ); diff --git a/test/data/mock.php b/test/data/mock.php index a34e8f5ac..b76fd521c 100644 --- a/test/data/mock.php +++ b/test/data/mock.php @@ -195,22 +195,24 @@ QUnit.assert.ok( true, "mock executed");'; } protected function cspFrame( $req ) { - // This is CSP only for browsers with "Content-Security-Policy" header support - // i.e. no old WebKit or old Firefox header( "Content-Security-Policy: default-src 'self'; report-uri ./mock.php?action=cspLog" ); header( 'Content-type: text/html' ); echo file_get_contents( __DIR__ . '/csp.include.html' ); } protected function cspNonce( $req ) { - // This is CSP only for browsers with "Content-Security-Policy" header support - // i.e. no old WebKit or old Firefox $test = $req->query['test'] ? '-' . $req->query['test'] : ''; header( "Content-Security-Policy: script-src 'nonce-jquery+hardcoded+nonce'; report-uri ./mock.php?action=cspLog" ); header( 'Content-type: text/html' ); echo file_get_contents( __DIR__ . '/csp-nonce' . $test . '.html' ); } + protected function cspAjaxScript( $req ) { + header( "Content-Security-Policy: script-src 'self'; report-uri /base/test/data/mock.php?action=cspLog" ); + header( 'Content-type: text/html' ); + echo file_get_contents( __DIR__ . '/csp-ajax-script.html' ); + } + protected function cspLog( $req ) { file_put_contents( $this->cspFile, 'error' ); } |