aboutsummaryrefslogtreecommitdiffstats
path: root/test/unit
diff options
context:
space:
mode:
authorMichał Gołębiowski-Owczarek <m.goleb@gmail.com>2020-07-27 19:15:57 +0200
committerGitHub <noreply@github.com>2020-07-27 19:15:57 +0200
commite7b3bc488d01d584262e12a7c5c25f935d0d034b (patch)
tree1e4f60870089f82a7dae69598a4121d4d778d8ea /test/unit
parentfa0058af426c4e482059214c29c29f004254d9a1 (diff)
downloadjquery-e7b3bc488d01d584262e12a7c5c25f935d0d034b.tar.gz
jquery-e7b3bc488d01d584262e12a7c5c25f935d0d034b.zip
Ajax: Drop the json to jsonp auto-promotion logic
Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was automatically converted to a jsonp request unless one also specified `jsonp: false`. Today the preferred way of interacting with a cross-domain backend is CORS which works in all browsers jQuery 4 will support. Auto-promoting JSON requests to JSONP ones introduces a security issue as the developer may be unaware they're not just downloading data but executing code from a remote domain. This commit disables the auto-promoting logic. BREAKING CHANGE: to trigger a JSONP request, it's now required to specify `dataType: "jsonp"`; previously some requests with `dataType: "json"` were auto-promoted to JSONP. Fixes gh-1799 Fixes gh-3376 Closes gh-4754
Diffstat (limited to 'test/unit')
-rw-r--r--test/unit/ajax.js115
1 files changed, 115 insertions, 0 deletions
diff --git a/test/unit/ajax.js b/test/unit/ajax.js
index e13c2713d..cd7822b73 100644
--- a/test/unit/ajax.js
+++ b/test/unit/ajax.js
@@ -1239,6 +1239,121 @@ QUnit.module( "ajax", {
];
} );
+ ajaxTest( "jQuery.ajax() - no JSONP auto-promotion" + label, 4, function( assert ) {
+ return [
+ {
+ url: baseURL + "mock.php?action=jsonp",
+ dataType: "json",
+ crossDomain: crossDomain,
+ success: function() {
+ assert.ok( false, "JSON parsing should have failed (no callback)" );
+ },
+ fail: function() {
+ assert.ok( true, "JSON parsing failed, JSONP not used (no callback)" );
+ }
+ },
+ {
+ url: baseURL + "mock.php?action=jsonp&callback=?",
+ dataType: "json",
+ crossDomain: crossDomain,
+ success: function() {
+ assert.ok( false, "JSON parsing should have failed (ULR callback)" );
+ },
+ fail: function() {
+ assert.ok( true, "JSON parsing failed, JSONP not used (URL callback)" );
+ }
+ },
+ {
+ url: baseURL + "mock.php?action=jsonp",
+ dataType: "json",
+ crossDomain: crossDomain,
+ data: "callback=?",
+ success: function() {
+ assert.ok( false, "JSON parsing should have failed (data callback=?)" );
+ },
+ fail: function() {
+ assert.ok( true, "JSON parsing failed, JSONP not used (data callback=?)" );
+ }
+ },
+ {
+ url: baseURL + "mock.php?action=jsonp",
+ dataType: "json",
+ crossDomain: crossDomain,
+ data: "callback=??",
+ success: function() {
+ assert.ok( false, "JSON parsing should have failed (data callback=??)" );
+ },
+ fail: function() {
+ assert.ok( true, "JSON parsing failed, JSONP not used (data callback=??)" );
+ }
+ }
+ ];
+ } );
+
+ ajaxTest( "jQuery.ajax() - JSON - no ? replacement" + label, 9, function( assert ) {
+ return [
+ {
+ url: baseURL + "mock.php?action=json&callback=?",
+ dataType: "json",
+ crossDomain: crossDomain,
+ beforeSend: function( _jqXhr, settings ) {
+ var queryString = settings.url.replace( /^[^?]*\?/, "" );
+ assert.ok(
+ queryString.indexOf( "jQuery" ) === -1,
+ "jQuery callback not inserted into the URL (URL callback)"
+ );
+ assert.ok(
+ queryString.indexOf( "callback=?" ) > -1,
+ "\"callback=?\" present in the URL unchanged (URL callback)"
+ );
+ },
+ success: function( data ) {
+ assert.ok( data.data, "JSON results returned (URL callback)" );
+ }
+ },
+ {
+ url: baseURL + "mock.php?action=json",
+ dataType: "json",
+ crossDomain: crossDomain,
+ data: "callback=?",
+ beforeSend: function( _jqXhr, settings ) {
+ var queryString = settings.url.replace( /^[^?]*\?/, "" );
+ assert.ok(
+ queryString.indexOf( "jQuery" ) === -1,
+ "jQuery callback not inserted into the URL (data callback=?)"
+ );
+ assert.ok(
+ queryString.indexOf( "callback=?" ) > -1,
+ "\"callback=?\" present in the URL unchanged (data callback=?)"
+ );
+ },
+ success: function( data ) {
+ assert.ok( data.data, "JSON results returned (data callback=?)" );
+ }
+ },
+ {
+ url: baseURL + "mock.php?action=json",
+ dataType: "json",
+ crossDomain: crossDomain,
+ data: "callback=??",
+ beforeSend: function( _jqXhr, settings ) {
+ var queryString = settings.url.replace( /^[^?]*\?/, "" );
+ assert.ok(
+ queryString.indexOf( "jQuery" ) === -1,
+ "jQuery callback not inserted into the URL (data callback=??)"
+ );
+ assert.ok(
+ queryString.indexOf( "callback=??" ) > -1,
+ "\"callback=?\" present in the URL unchanged (data callback=??)"
+ );
+ },
+ success: function( data ) {
+ assert.ok( data.data, "JSON results returned (data callback=??)" );
+ }
+ }
+ ];
+ } );
+
} );
ajaxTest( "jQuery.ajax() - script, Remote", 2, function( assert ) {