From 025da4dd343e6734f3d3c1b4785b1548498115d8 Mon Sep 17 00:00:00 2001 From: Michał Gołębiowski-Owczarek Date: Tue, 26 Jan 2021 15:58:29 +0100 Subject: Ajax: Don't auto-execute scripts unless dataType provided PR gh-2588 made jQuery stop auto-execute cross-domain scripts unless `dataType: "script"` was explicitly provided; this change landed in jQuery 3.0.0. This change extends that logic same-domain scripts as well. After this change, to request a script under a provided URL to be evaluated, you need to provide `dataType: "script` in `jQuery.ajax` options or to use `jQuery.getScript`. Fixes gh-4822 Closes gh-4825 Ref gh-2432 Ref gh-2588 --- test/unit/ajax.js | 71 ++++++++++++++++++------------------------------------- 1 file changed, 23 insertions(+), 48 deletions(-) (limited to 'test') diff --git a/test/unit/ajax.js b/test/unit/ajax.js index 271496ce1..4ab17e8eb 100644 --- a/test/unit/ajax.js +++ b/test/unit/ajax.js @@ -71,13 +71,20 @@ QUnit.module( "ajax", { }; } ); - ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3, + ajaxTest( "jQuery.ajax() - custom attributes for script tag", 5, function( assert ) { return { create: function( options ) { - options.crossDomain = true; + var xhr; + options.method = "POST"; options.dataType = "script"; - return jQuery.ajax( url( "mock.php?action=script&header=ecma" ), options ); + options.scriptAttrs = { id: "jquery-ajax-test", async: "async" }; + xhr = jQuery.ajax( url( "mock.php?action=script" ), options ); + assert.equal( jQuery( "#jquery-ajax-test" ).attr( "async" ), "async", "attr value" ); + return xhr; + }, + beforeSend: function( _jqXhr, settings ) { + assert.strictEqual( settings.type, "GET", "Type changed to GET" ); }, success: function() { assert.ok( true, "success" ); @@ -89,20 +96,13 @@ QUnit.module( "ajax", { } ); - ajaxTest( "jQuery.ajax() - custom attributes for script tag", 5, + ajaxTest( "jQuery.ajax() - execute JS when dataType option is provided", 3, function( assert ) { return { create: function( options ) { - var xhr; - options.method = "POST"; + options.crossDomain = true; options.dataType = "script"; - options.scriptAttrs = { id: "jquery-ajax-test", async: "async" }; - xhr = jQuery.ajax( url( "mock.php?action=script" ), options ); - assert.equal( jQuery( "#jquery-ajax-test" ).attr( "async" ), "async", "attr value" ); - return xhr; - }, - beforeSend: function( _jqXhr, settings ) { - assert.strictEqual( settings.type, "GET", "Type changed to GET" ); + return jQuery.ajax( url( "mock.php?action=script&header=ecma" ), options ); }, success: function() { assert.ok( true, "success" ); @@ -114,22 +114,16 @@ QUnit.module( "ajax", { } ); - ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) { - return { - create: function( options ) { - options.crossDomain = true; - return jQuery.ajax( url( "mock.php?action=script&header" ), options ); - }, - success: function() { - assert.ok( true, "success" ); - }, - fail: function() { - assert.ok( false, "fail" ); - }, - complete: function() { - assert.ok( true, "complete" ); - } - }; + jQuery.each( [ " - Same Domain", " - Cross Domain" ], function( crossDomain, label ) { + ajaxTest( "jQuery.ajax() - do not execute JS (gh-2432, gh-4822) " + label, 1, function( assert ) { + return { + url: url( "mock.php?action=script&header" ), + crossDomain: crossDomain, + success: function() { + assert.ok( true, "success" ); + } + }; + } ); } ); ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) { @@ -1439,25 +1433,6 @@ QUnit.module( "ajax", { }; } ); - ajaxTest( "jQuery.ajax() - script by content-type", 2, function() { - return [ - { - url: baseURL + "mock.php?action=script", - data: { - "header": "script" - }, - success: true - }, - { - url: baseURL + "mock.php?action=script", - data: { - "header": "ecma" - }, - success: true - } - ]; - } ); - ajaxTest( "jQuery.ajax() - JSON by content-type", 5, function( assert ) { return { url: baseURL + "mock.php?action=json", -- cgit v1.2.3