From 6d1364431b63b0d3bbe1c5fd604131f9db453396 Mon Sep 17 00:00:00 2001 From: Michał Gołębiowski-Owczarek Date: Wed, 1 Feb 2023 13:40:55 +0100 Subject: Ajax: Support `headers` for script transport even when cross-domain The AJAX script transport has two versions: XHR + `jQuery.globalEval` or appending a script tag (note that `jQuery.globalEval` also appends a script tag now, but inline). The former cannot support the `headers` option which has so far not been taken into account. For jQuery 3.x, the main consequence was the option not being respected for cross-domain requests. Since in 4.x we use the latter way more often, the option was being ignored in more cases. The transport now checks whether the `headers` option is specified and uses the XHR way unless `scriptAttrs` are specified as well. Fixes gh-5142 Closes gh-5193 --- src/ajax/script.js | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) (limited to 'src') diff --git a/src/ajax/script.js b/src/ajax/script.js index fee8a66e0..aa8ddb4c5 100644 --- a/src/ajax/script.js +++ b/src/ajax/script.js @@ -6,20 +6,28 @@ import "../ajax.js"; function canUseScriptTag( s ) { // A script tag can only be used for async, cross domain or forced-by-attrs requests. + // Requests with headers cannot use a script tag. However, when both `scriptAttrs` & + // `headers` options are specified, both are impossible to satisfy together; we + // prefer `scriptAttrs` then. // Sync requests remain handled differently to preserve strict script ordering. - return s.crossDomain || s.scriptAttrs || + return s.scriptAttrs || ( + !s.headers && + ( + s.crossDomain || - // When dealing with JSONP (`s.dataTypes` include "json" then) - // don't use a script tag so that error responses still may have - // `responseJSON` set. Continue using a script tag for JSONP requests that: - // * are cross-domain as AJAX requests won't work without a CORS setup - // * have `scriptAttrs` set as that's a script-only functionality - // Note that this means JSONP requests violate strict CSP script-src settings. - // A proper solution is to migrate from using JSONP to a CORS setup. - ( s.async && jQuery.inArray( "json", s.dataTypes ) < 0 ); + // When dealing with JSONP (`s.dataTypes` include "json" then) + // don't use a script tag so that error responses still may have + // `responseJSON` set. Continue using a script tag for JSONP requests that: + // * are cross-domain as AJAX requests won't work without a CORS setup + // * have `scriptAttrs` set as that's a script-only functionality + // Note that this means JSONP requests violate strict CSP script-src settings. + // A proper solution is to migrate from using JSONP to a CORS setup. + ( s.async && jQuery.inArray( "json", s.dataTypes ) < 0 ) + ) + ); } -// Install script dataType. Don't specify `content.script` so that an explicit +// Install script dataType. Don't specify `contents.script` so that an explicit // `dataType: "script"` is required (see gh-2432, gh-4822) jQuery.ajaxSetup( { accepts: { -- cgit v1.2.3