From 07a8e4a177550025c1a08d7ac754839733943f55 Mon Sep 17 00:00:00 2001 From: Michał Gołębiowski-Owczarek Date: Tue, 25 Aug 2020 21:28:30 +0200 Subject: Ajax: Avoid CSP errors in the script transport for async requests Until now, the AJAX script transport only used a script tag to load scripts for cross-domain requests or ones with `scriptAttrs` set. This commit makes it also used for all async requests to avoid CSP errors arising from usage of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors as it uses the AJAX script transport under the hood. For sync requests such a change is impossible and that's what `jQuery._evalUrl` uses. Fixing that is tracked in gh-1895. The commit also makes other type of requests using the script tag version of the script transport set its type to "GET", namely async scripts & ones with `scriptAttrs` set in addition to the existing cross-domain ones. Fixes gh-3969 Closes gh-4763 --- src/ajax/script.js | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'src/ajax') diff --git a/src/ajax/script.js b/src/ajax/script.js index 22dc29183..54bfecf2e 100644 --- a/src/ajax/script.js +++ b/src/ajax/script.js @@ -32,7 +32,10 @@ jQuery.ajaxPrefilter( "script", function( s ) { if ( s.cache === undefined ) { s.cache = false; } - if ( s.crossDomain ) { + + // These types of requests are handled via a script tag + // so force their methods to GET. + if ( s.crossDomain || s.async || s.scriptAttrs ) { s.type = "GET"; } } ); @@ -40,8 +43,9 @@ jQuery.ajaxPrefilter( "script", function( s ) { // Bind script tag hack transport jQuery.ajaxTransport( "script", function( s ) { - // This transport only deals with cross domain or forced-by-attrs requests - if ( s.crossDomain || s.scriptAttrs ) { + // This transport only deals with async, cross domain or forced-by-attrs requests. + // Sync requests remain handled differently to preserve strict script ordering. + if ( s.crossDomain || s.async || s.scriptAttrs ) { var script, callback; return { send: function( _, complete ) { -- cgit v1.2.3