diff options
author | Michał Gołębiowski-Owczarek <m.goleb@gmail.com> | 2020-07-27 19:15:57 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-07-27 19:15:57 +0200 |
commit | e7b3bc488d01d584262e12a7c5c25f935d0d034b (patch) | |
tree | 1e4f60870089f82a7dae69598a4121d4d778d8ea /test/unit | |
parent | fa0058af426c4e482059214c29c29f004254d9a1 (diff) | |
download | jquery-e7b3bc488d01d584262e12a7c5c25f935d0d034b.tar.gz jquery-e7b3bc488d01d584262e12a7c5c25f935d0d034b.zip |
Ajax: Drop the json to jsonp auto-promotion logic
Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was
automatically converted to a jsonp request unless one also specified
`jsonp: false`. Today the preferred way of interacting with a cross-domain
backend is CORS which works in all browsers jQuery 4 will support.
Auto-promoting JSON requests to JSONP ones introduces a security issue as the
developer may be unaware they're not just downloading data but executing code
from a remote domain.
This commit disables the auto-promoting logic.
BREAKING CHANGE: to trigger a JSONP request, it's now required to specify
`dataType: "jsonp"`; previously some requests with `dataType: "json"` were
auto-promoted to JSONP.
Fixes gh-1799
Fixes gh-3376
Closes gh-4754
Diffstat (limited to 'test/unit')
-rw-r--r-- | test/unit/ajax.js | 115 |
1 files changed, 115 insertions, 0 deletions
diff --git a/test/unit/ajax.js b/test/unit/ajax.js index e13c2713d..cd7822b73 100644 --- a/test/unit/ajax.js +++ b/test/unit/ajax.js @@ -1239,6 +1239,121 @@ QUnit.module( "ajax", { ]; } ); + ajaxTest( "jQuery.ajax() - no JSONP auto-promotion" + label, 4, function( assert ) { + return [ + { + url: baseURL + "mock.php?action=jsonp", + dataType: "json", + crossDomain: crossDomain, + success: function() { + assert.ok( false, "JSON parsing should have failed (no callback)" ); + }, + fail: function() { + assert.ok( true, "JSON parsing failed, JSONP not used (no callback)" ); + } + }, + { + url: baseURL + "mock.php?action=jsonp&callback=?", + dataType: "json", + crossDomain: crossDomain, + success: function() { + assert.ok( false, "JSON parsing should have failed (ULR callback)" ); + }, + fail: function() { + assert.ok( true, "JSON parsing failed, JSONP not used (URL callback)" ); + } + }, + { + url: baseURL + "mock.php?action=jsonp", + dataType: "json", + crossDomain: crossDomain, + data: "callback=?", + success: function() { + assert.ok( false, "JSON parsing should have failed (data callback=?)" ); + }, + fail: function() { + assert.ok( true, "JSON parsing failed, JSONP not used (data callback=?)" ); + } + }, + { + url: baseURL + "mock.php?action=jsonp", + dataType: "json", + crossDomain: crossDomain, + data: "callback=??", + success: function() { + assert.ok( false, "JSON parsing should have failed (data callback=??)" ); + }, + fail: function() { + assert.ok( true, "JSON parsing failed, JSONP not used (data callback=??)" ); + } + } + ]; + } ); + + ajaxTest( "jQuery.ajax() - JSON - no ? replacement" + label, 9, function( assert ) { + return [ + { + url: baseURL + "mock.php?action=json&callback=?", + dataType: "json", + crossDomain: crossDomain, + beforeSend: function( _jqXhr, settings ) { + var queryString = settings.url.replace( /^[^?]*\?/, "" ); + assert.ok( + queryString.indexOf( "jQuery" ) === -1, + "jQuery callback not inserted into the URL (URL callback)" + ); + assert.ok( + queryString.indexOf( "callback=?" ) > -1, + "\"callback=?\" present in the URL unchanged (URL callback)" + ); + }, + success: function( data ) { + assert.ok( data.data, "JSON results returned (URL callback)" ); + } + }, + { + url: baseURL + "mock.php?action=json", + dataType: "json", + crossDomain: crossDomain, + data: "callback=?", + beforeSend: function( _jqXhr, settings ) { + var queryString = settings.url.replace( /^[^?]*\?/, "" ); + assert.ok( + queryString.indexOf( "jQuery" ) === -1, + "jQuery callback not inserted into the URL (data callback=?)" + ); + assert.ok( + queryString.indexOf( "callback=?" ) > -1, + "\"callback=?\" present in the URL unchanged (data callback=?)" + ); + }, + success: function( data ) { + assert.ok( data.data, "JSON results returned (data callback=?)" ); + } + }, + { + url: baseURL + "mock.php?action=json", + dataType: "json", + crossDomain: crossDomain, + data: "callback=??", + beforeSend: function( _jqXhr, settings ) { + var queryString = settings.url.replace( /^[^?]*\?/, "" ); + assert.ok( + queryString.indexOf( "jQuery" ) === -1, + "jQuery callback not inserted into the URL (data callback=??)" + ); + assert.ok( + queryString.indexOf( "callback=??" ) > -1, + "\"callback=?\" present in the URL unchanged (data callback=??)" + ); + }, + success: function( data ) { + assert.ok( data.data, "JSON results returned (data callback=??)" ); + } + } + ]; + } ); + } ); ajaxTest( "jQuery.ajax() - script, Remote", 2, function( assert ) { |