#13803 closed bug (fixed)
XMLHttpRequest cannot load
| Reported by: | Owned by: | gibson042 | |
|---|---|---|---|
| Priority: | high | Milestone: | 2.0.1 |
| Component: | manipulation | Version: | 2.0.0 |
| Keywords: | Cc: | jaubourg | |
| Blocked by: | Blocking: |
Description
Change History (8)
comment:1 Changed 6 years ago by
| Cc: | jaubourg added |
|---|---|
| Component: | unfiled → manipulation |
| Owner: | set to gibson042 |
| Priority: | undecided → high |
| Status: | new → assigned |
comment:2 Changed 6 years ago by
Let's discuss this one. Script injection is more a security bug than an API feature, and it seems like we have several other ways of accomplishing this already.
comment:3 Changed 6 years ago by
Are you referring to native DOM methods? Because ours will send every script src to jQuery.ajax.
comment:4 Changed 6 years ago by
We could control in the beforeSend callback that the request is not crossDomain and throw if it is. That'll at least be honest about what's actually going on and what we're able to handle coherently.
There are a lot of other, safer, better, even easier, ways to load scripts.
comment:5 Changed 6 years ago by
I'm not disagreeing, just pointing out that this regression affects all jQuery DOM manipulation.
comment:6 Changed 6 years ago by
Sure enough.
However, given we have no guarantee whatsoever regarding when cross-domain scripts would get executed, this kind of code is begging for race condition and "it fails sometimes" kinda bug reports. So I'd be in favour of going the extra mile and kill this with an exception once and for all. If someone wants to have the old behaviour, it's easy enough to override _evalUrl.
TL;DR: let's break this for real with an exception and let people handle back-compat with _evalURL.
comment:7 Changed 6 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fix #13803: domManip remote-script evaluation per 1.9 (AJAX dataType "script")
Changeset: 18cccd04a6f69018242bce96ef905bc5d3be6ff8
comment:8 Changed 6 years ago by
| Milestone: | None → 2.0.1 |
|---|
How ugly...
Cross-domain scripts passed to
.domManiphave always put at odds our "guarantees" of synchronous behavior and universal script evaluation. The change ofdataTypefrom "script" to "text" in https://github.com/jquery/jquery/commit/03db1ada2cc223edf545c5a452e55062647837fa#L1L259 amounted to sacrificing the latter in favor of the former (by bypassing the element-based script transport), a reversal from versions preceding 2.0.0.As far as I can tell, backwards compatibility for this case pretty much forces us to again use
dataType: "script". Testing it is going to be a pain, though; I don't think we always have a window to search for the injected script element, so we'll probably have to forcecrossDomain: trueand do a server-side check for the absence of an "Origin" header.