Bug Tracker

Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#11264 closed bug (fixed)

evalScript() uses defaults set by ajaxSetup()

Reported by: Matthijs Kooijman <matthijs@…> Owned by: Matthijs Kooijman <matthijs@…>
Priority: low Milestone: 1.7.2
Component: ajax Version: 1.7.1
Keywords: Cc:
Blocked by: Blocking:


When evalScript is loading a script (for example since the HTML loaded by .load() or set by .html() contains a script tag), it uses the .ajax() function to get the contents of that script. This ajax call is affected by the defaults set by the user through ajaxSetup().

Since this is an internal .ajax() call, it would make sense to have it bypass the defaults configured by the user, since those might cause unexpected results (users set those defaults to simplify their own ajax calls).

The particular problem I was running into was that ajaxSetup was used to make ajax() default to doing POST requests, causing jquery to do a POST request to a static JS file (resulting in a 405 Invalid request form nginx).

Here's a minimal example showing the problem. If you put this in a .html file, open it up in a browser, you'll see (in Firebug, for example) that POST request happens to foo.js.

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>
<div id="content"></div>
    $.ajaxSetup({type: 'POST'});

    $("#content").html("<div><script src=\"foo.js\"></sc" +
        "ript><p>Hello, world!</p></div>");

A minimal way to fix this would be to make evalScript explicitely pass type:'POST' to ajax(), but I'm afraid there might be other conflicting settings as well (though I can't give any specific examples...).

On a related note, evalScript should probably pass global: false as well, to prevent globally registered callbacks from running on this internal request (though I guess people might want to register callbacks to run on _every_ request, not just the request they originate themselves...).

Change History (6)

comment:1 Changed 11 years ago by sindresorhus

Owner: set to Matthijs Kooijman <matthijs@…>
Status: newpending

Thanks for taking the time to contribute to the jQuery project! Please provide a complete reduced test case on jsFiddle to help us assess your ticket.

Additionally, be sure to test against the jQuery Edge version to ensure the issue still exists. To get you started, use this boilerplate: http://jsfiddle.net/FrKyN/ Open the link and click to "Fork" (in the top menu) to get started.

comment:2 Changed 11 years ago by Matthijs Kooijman <matthijs@…>

Status: pendingnew

Hmm, awesome tool, jsfiddle. Hadn't seen that one before.

Anyway, I put my example from the ticket into jsfiddle here: http://jsfiddle.net/brhdm/2/

I'm now making my post a bit longer, in the hopes of dissuading akismet of the notion that this comment is spam. It seems a bit misguided by the shortness of the comment and the presence of an external link. Pity I didn't get a recaptcha for this like I did when submitting the ticket.

comment:3 Changed 11 years ago by dmethvin

Component: unfiledajax
Milestone: None1.next
Priority: undecidedlow
Status: newopen

Matthijs, I agree it seems wrong to have a "POST" in global options be able to thwart an evalScript request. Congratulations on passing our spam filter, BTW!

comment:4 Changed 11 years ago by Matthijs Kooijman <matthijs@…>

Thanks for the lightning reponse!

FWIW, setting up a trac session helped more to thwart the spamfilter than adding more text, it seems.

For completeness, I tested this on 1.6.1, 1.7.1 and on "edge", the latter using jsfiddle.

comment:5 Changed 11 years ago by jaubourg

Resolution: fixed
Status: openclosed

Fixes #11264 or rather seriously limits the risk of global ajaxSettings screwing with script loading in domManip. Gotta love globals and sneaky dependencies. Unit test added.

Changeset: d3fad51cad1f71bd20beba81b51552295721a5a5

comment:6 Changed 11 years ago by jaubourg

Milestone: 1.next1.7.2
Note: See TracTickets for help on using tickets.