Bug Tracker

Modify

Ticket #11264 (closed bug: fixed)

Opened 2 years ago

Last modified 2 years ago

evalScript() uses defaults set by ajaxSetup()

Reported by: Matthijs Kooijman <matthijs@…> Owned by: Matthijs Kooijman <matthijs@…>
Priority: low Milestone: 1.7.2
Component: ajax Version: 1.7.1
Keywords: Cc:
Blocking: Blocked by:

Description

When evalScript is loading a script (for example since the HTML loaded by .load() or set by .html() contains a script tag), it uses the .ajax() function to get the contents of that script. This ajax call is affected by the defaults set by the user through ajaxSetup().

Since this is an internal .ajax() call, it would make sense to have it bypass the defaults configured by the user, since those might cause unexpected results (users set those defaults to simplify their own ajax calls).

The particular problem I was running into was that ajaxSetup was used to make ajax() default to doing POST requests, causing jquery to do a POST request to a static JS file (resulting in a 405 Invalid request form nginx).

Here's a minimal example showing the problem. If you put this in a .html file, open it up in a browser, you'll see (in Firebug, for example) that POST request happens to foo.js.

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>
<div id="content"></div>
<script>
    $.ajaxSetup({type: 'POST'});

    $("#content").html("<div><script src=\"foo.js\"></sc" +
        "ript><p>Hello, world!</p></div>");
</script>

A minimal way to fix this would be to make evalScript explicitely pass type:'POST' to ajax(), but I'm afraid there might be other conflicting settings as well (though I can't give any specific examples...).

On a related note, evalScript should probably pass global: false as well, to prevent globally registered callbacks from running on this internal request (though I guess people might want to register callbacks to run on _every_ request, not just the request they originate themselves...).

Change History

comment:1 Changed 2 years ago by sindresorhus

  • Owner set to Matthijs Kooijman <matthijs@…>
  • Status changed from new to pending

Thanks for taking the time to contribute to the jQuery project! Please provide a complete reduced test case on jsFiddle to help us assess your ticket.

Additionally, be sure to test against the jQuery Edge version to ensure the issue still exists. To get you started, use this boilerplate:  http://jsfiddle.net/FrKyN/ Open the link and click to "Fork" (in the top menu) to get started.

comment:2 Changed 2 years ago by Matthijs Kooijman <matthijs@…>

  • Status changed from pending to new

Hmm, awesome tool, jsfiddle. Hadn't seen that one before.

Anyway, I put my example from the ticket into jsfiddle here:  http://jsfiddle.net/brhdm/2/

I'm now making my post a bit longer, in the hopes of dissuading akismet of the notion that this comment is spam. It seems a bit misguided by the shortness of the comment and the presence of an external link. Pity I didn't get a recaptcha for this like I did when submitting the ticket.

comment:3 Changed 2 years ago by dmethvin

  • Priority changed from undecided to low
  • Status changed from new to open
  • Component changed from unfiled to ajax
  • Milestone changed from None to 1.next

Matthijs, I agree it seems wrong to have a "POST" in global options be able to thwart an evalScript request. Congratulations on passing our spam filter, BTW!

comment:4 Changed 2 years ago by Matthijs Kooijman <matthijs@…>

Thanks for the lightning reponse!

FWIW, setting up a trac session helped more to thwart the spamfilter than adding more text, it seems.

For completeness, I tested this on 1.6.1, 1.7.1 and on "edge", the latter using jsfiddle.

comment:5 Changed 2 years ago by jaubourg

  • Status changed from open to closed
  • Resolution set to fixed

Fixes #11264 or rather seriously limits the risk of global ajaxSettings screwing with script loading in domManip. Gotta love globals and sneaky dependencies. Unit test added.

Changeset: d3fad51cad1f71bd20beba81b51552295721a5a5

comment:6 Changed 2 years ago by jaubourg

  • Milestone changed from 1.next to 1.7.2

Please follow the  bug reporting guidlines and use  jsFiddle when providing test cases and demonstrations instead of pasting the code in the ticket.

View

Add a comment

Modify Ticket

Action
as closed
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.