Skip to main content

Bug Tracker

Side navigation

#11264 closed bug (fixed)

Opened January 31, 2012 03:22PM UTC

Closed March 07, 2012 03:54PM UTC

Last modified March 07, 2012 03:56PM UTC

evalScript() uses defaults set by ajaxSetup()

Reported by: Matthijs Kooijman <matthijs@stdin.nl> Owned by: Matthijs Kooijman <matthijs@stdin.nl>
Priority: low Milestone: 1.7.2
Component: ajax Version: 1.7.1
Keywords: Cc:
Blocked by: Blocking:
Description

When evalScript is loading a script (for example since the HTML loaded by .load() or set by .html() contains a script tag), it uses the .ajax() function to get the contents of that script. This ajax call is affected by the defaults set by the user through ajaxSetup().

Since this is an internal .ajax() call, it would make sense to have it bypass the defaults configured by the user, since those might cause unexpected results (users set those defaults to simplify their own ajax calls).

The particular problem I was running into was that ajaxSetup was used to make ajax() default to doing POST requests, causing jquery to do a POST request to a static JS file (resulting in a 405 Invalid request form nginx).

Here's a minimal example showing the problem. If you put this in a .html file, open it up in a browser, you'll see (in Firebug, for example) that POST request happens to foo.js.

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>
<div id="content"></div>
<script>
    $.ajaxSetup({type: 'POST'});

    $("#content").html("<div><script src=\\"foo.js\\"></sc" +
        "ript><p>Hello, world!</p></div>");
</script>

A minimal way to fix this would be to make evalScript explicitely pass type:'POST' to ajax(), but I'm afraid there might be other conflicting settings as well (though I can't give any specific examples...).

On a related note, evalScript should probably pass global: false as well, to prevent globally registered callbacks from running on this internal request (though I guess people might want to register callbacks to run on _every_ request, not just the request they originate themselves...).

Attachments (0)
Change History (6)

Changed January 31, 2012 03:24PM UTC by sindresorhus comment:1

owner: → Matthijs Kooijman <matthijs@stdin.nl>
status: newpending

Thanks for taking the time to contribute to the jQuery project! Please provide a complete reduced test case on jsFiddle to help us assess your ticket.

Additionally, be sure to test against the jQuery Edge version to ensure the issue still exists. To get you started, use this boilerplate: http://jsfiddle.net/FrKyN/ Open the link and click to "Fork" (in the top menu) to get started.

Changed January 31, 2012 03:33PM UTC by Matthijs Kooijman <matthijs@stdin.nl> comment:2

status: pendingnew

Hmm, awesome tool, jsfiddle. Hadn't seen that one before.

Anyway, I put my example from the ticket into jsfiddle here: http://jsfiddle.net/brhdm/2/

I'm now making my post a bit longer, in the hopes of dissuading akismet of the notion that this comment is spam. It seems a bit misguided by the shortness of the comment and the presence of an external link. Pity I didn't get a recaptcha for this like I did when submitting the ticket.

Changed January 31, 2012 03:36PM UTC by dmethvin comment:3

component: unfiledajax
milestone: None1.next
priority: undecidedlow
status: newopen

Matthijs, I agree it seems wrong to have a "POST" in global options be able to thwart an evalScript request. Congratulations on passing our spam filter, BTW!

Changed January 31, 2012 03:40PM UTC by Matthijs Kooijman <matthijs@stdin.nl> comment:4

Thanks for the lightning reponse!

FWIW, setting up a trac session helped more to thwart the spamfilter than adding more text, it seems.

For completeness, I tested this on 1.6.1, 1.7.1 and on "edge", the latter using jsfiddle.

Changed March 07, 2012 03:54PM UTC by jaubourg comment:5

resolution: → fixed
status: openclosed

Fixes #11264 or rather seriously limits the risk of global ajaxSettings screwing with script loading in domManip. Gotta love globals and sneaky dependencies. Unit test added.

Changeset: d3fad51cad1f71bd20beba81b51552295721a5a5

Changed March 07, 2012 03:56PM UTC by jaubourg comment:6

milestone: 1.next1.7.2