Bug Tracker

Ticket #13803 (closed bug: fixed)

Opened 15 months ago

Last modified 15 months ago

XMLHttpRequest cannot load

Reported by: mail@… Owned by: gibson042
Priority: high Milestone: 2.0.1
Component: manipulation Version: 2.0.0
Keywords: Cc: jaubourg
Blocking: Blocked by:

Change History

comment:1 Changed 15 months ago by gibson042

  • Cc jaubourg added
  • Owner set to gibson042
  • Status changed from new to assigned
  • Component changed from unfiled to manipulation
  • Priority changed from undecided to high

How ugly...

Cross-domain scripts passed to .domManip have always put at odds our "guarantees" of synchronous behavior and universal script evaluation. The change of dataType from "script" to "text" in  https://github.com/jquery/jquery/commit/03db1ada2cc223edf545c5a452e55062647837fa#L1L259 amounted to sacrificing the latter in favor of the former (by bypassing the element-based script transport), a reversal from versions preceding 2.0.0.

As far as I can tell, backwards compatibility for this case pretty much forces us to again use dataType: "script". Testing it is going to be a pain, though; I don't think we always have a window to search for the injected script element, so we'll probably have to force crossDomain: true and do a server-side check for the absence of an "Origin" header.

comment:2 Changed 15 months ago by dmethvin

Let's discuss this one. Script injection is more a security bug than an API feature, and it seems like we have several other ways of accomplishing this already.

comment:3 Changed 15 months ago by gibson042

Are you referring to native DOM methods? Because ours will send every script src to jQuery.ajax.

comment:4 Changed 15 months ago by jaubourg

We could control in the beforeSend callback that the request is not crossDomain and throw if it is. That'll at least be honest about what's actually going on and what we're able to handle coherently.

There are a lot of other, safer, better, even easier, ways to load scripts.

comment:5 Changed 15 months ago by gibson042

I'm not disagreeing, just pointing out that this regression affects all jQuery DOM manipulation.

comment:6 Changed 15 months ago by jaubourg

Sure enough.

However, given we have no guarantee whatsoever regarding when cross-domain scripts would get executed, this kind of code is begging for race condition and "it fails sometimes" kinda bug reports. So I'd be in favour of going the extra mile and kill this with an exception once and for all. If someone wants to have the old behaviour, it's easy enough to override _evalUrl.

TL;DR: let's break this for real with an exception and let people handle back-compat with _evalURL.

comment:7 Changed 15 months ago by Richard Gibson

  • Status changed from assigned to closed
  • Resolution set to fixed

Fix #13803: domManip remote-script evaluation per 1.9 (AJAX dataType "script")

Changeset: 18cccd04a6f69018242bce96ef905bc5d3be6ff8

comment:8 Changed 15 months ago by gibson042

  • Milestone changed from None to 2.0.1
Note: See TracTickets for help on using tickets.