Bug Tracker

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#13803 closed bug (fixed)

XMLHttpRequest cannot load

Reported by: mail@… Owned by: gibson042
Priority: high Milestone: 2.0.1
Component: manipulation Version: 2.0.0
Keywords: Cc: jaubourg
Blocked by: Blocking:

Change History (8)

comment:1 Changed 4 years ago by gibson042

Cc: jaubourg added
Component: unfiledmanipulation
Owner: set to gibson042
Priority: undecidedhigh
Status: newassigned

How ugly...

Cross-domain scripts passed to .domManip have always put at odds our "guarantees" of synchronous behavior and universal script evaluation. The change of dataType from "script" to "text" in https://github.com/jquery/jquery/commit/03db1ada2cc223edf545c5a452e55062647837fa#L1L259 amounted to sacrificing the latter in favor of the former (by bypassing the element-based script transport), a reversal from versions preceding 2.0.0.

As far as I can tell, backwards compatibility for this case pretty much forces us to again use dataType: "script". Testing it is going to be a pain, though; I don't think we always have a window to search for the injected script element, so we'll probably have to force crossDomain: true and do a server-side check for the absence of an "Origin" header.

comment:2 Changed 4 years ago by dmethvin

Let's discuss this one. Script injection is more a security bug than an API feature, and it seems like we have several other ways of accomplishing this already.

comment:3 Changed 4 years ago by gibson042

Are you referring to native DOM methods? Because ours will send every script src to jQuery.ajax.

comment:4 Changed 4 years ago by jaubourg

We could control in the beforeSend callback that the request is not crossDomain and throw if it is. That'll at least be honest about what's actually going on and what we're able to handle coherently.

There are a lot of other, safer, better, even easier, ways to load scripts.

comment:5 Changed 4 years ago by gibson042

I'm not disagreeing, just pointing out that this regression affects all jQuery DOM manipulation.

comment:6 Changed 4 years ago by jaubourg

Sure enough.

However, given we have no guarantee whatsoever regarding when cross-domain scripts would get executed, this kind of code is begging for race condition and "it fails sometimes" kinda bug reports. So I'd be in favour of going the extra mile and kill this with an exception once and for all. If someone wants to have the old behaviour, it's easy enough to override _evalUrl.

TL;DR: let's break this for real with an exception and let people handle back-compat with _evalURL.

comment:7 Changed 4 years ago by Richard Gibson

Resolution: fixed
Status: assignedclosed

Fix #13803: domManip remote-script evaluation per 1.9 (AJAX dataType "script")

Changeset: 18cccd04a6f69018242bce96ef905bc5d3be6ff8

comment:8 Changed 4 years ago by gibson042

Milestone: None2.0.1
Note: See TracTickets for help on using tickets.