diff options
| -rw-r--r-- | src/ajax.js | 2 | ||||
| -rw-r--r-- | src/ajax/script.js | 7 | ||||
| -rw-r--r-- | test/unit/ajax.js | 48 |
3 files changed, 56 insertions, 1 deletions
diff --git a/src/ajax.js b/src/ajax.js index 32b6a1be2..157934ef1 100644 --- a/src/ajax.js +++ b/src/ajax.js @@ -221,7 +221,7 @@ function ajaxConvert( s, response, jqXHR, isSuccess ) { if ( current ) { - // There's only work to do if current dataType is non-auto + // There's only work to do if current dataType is non-auto if ( current === "*" ) { current = prev; diff --git a/src/ajax/script.js b/src/ajax/script.js index 60b1fb6b0..0ec27b4a5 100644 --- a/src/ajax/script.js +++ b/src/ajax/script.js @@ -4,6 +4,13 @@ define( [ "../ajax" ], function( jQuery, document ) { +// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432) +jQuery.ajaxPrefilter( function( s ) { + if ( s.crossDomain ) { + s.contents.script = false; + } +} ); + // Install script dataType jQuery.ajaxSetup( { accepts: { diff --git a/test/unit/ajax.js b/test/unit/ajax.js index 14fe0bed6..647958773 100644 --- a/test/unit/ajax.js +++ b/test/unit/ajax.js @@ -71,6 +71,54 @@ QUnit.module( "ajax", { }; } ); + ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) { + return { + create: function( options ) { + options.crossDomain = true; + return jQuery.ajax( url( "data/script.php?header=ecma" ), options ); + }, + success: function() { + assert.ok( true, "success" ); + }, + complete: function() { + assert.ok( true, "complete" ); + } + }; + } ); + + ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3, + function( assert ) { + return { + create: function( options ) { + options.crossDomain = true; + options.dataType = "script"; + return jQuery.ajax( url( "data/script.php?header=ecma" ), options ); + }, + success: function() { + assert.ok( true, "success" ); + }, + complete: function() { + assert.ok( true, "complete" ); + } + }; + } + ); + + ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) { + return { + create: function( options ) { + options.crossDomain = true; + return jQuery.ajax( url( "data/script.php" ), options ); + }, + success: function() { + assert.ok( true, "success" ); + }, + complete: function() { + assert.ok( true, "complete" ); + } + }; + } ); + ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) { return { setup: addGlobalEvents( "ajaxStart ajaxStop ajaxSend ajaxComplete ajaxSuccess", assert ), |