Skip to main content

Bug Tracker

Side navigation

#13803 closed bug (fixed)

Opened April 21, 2013 10:30AM UTC

Closed April 29, 2013 05:33PM UTC

Last modified April 29, 2013 05:34PM UTC

XMLHttpRequest cannot load

Reported by: mail@set-pro.net Owned by: gibson042
Priority: high Milestone: 2.0.1
Component: manipulation Version: 2.0.0
Keywords: Cc: jaubourg
Blocked by: Blocking:
Attachments (0)
Change History (8)

Changed April 21, 2013 05:37PM UTC by gibson042 comment:1

cc: → jaubourg
component: unfiledmanipulation
owner: → gibson042
priority: undecidedhigh
status: newassigned

How ugly...

Cross-domain scripts passed to .domManip have always put at odds our "guarantees" of synchronous behavior and universal script evaluation. The change of dataType from "script" to "text" in https://github.com/jquery/jquery/commit/03db1ada2cc223edf545c5a452e55062647837fa#L1L259 amounted to sacrificing the latter in favor of the former (by bypassing the element-based script transport), a reversal from versions preceding 2.0.0.

As far as I can tell, backwards compatibility for this case pretty much forces us to again use dataType: "script". Testing it is going to be a pain, though; I don't think we always have a window to search for the injected script element, so we'll probably have to force crossDomain: true and do a server-side check for the absence of an "Origin" header.

Changed April 21, 2013 07:08PM UTC by dmethvin comment:2

Let's discuss this one. Script injection is more a security bug than an API feature, and it seems like we have several other ways of accomplishing this already.

Changed April 21, 2013 09:21PM UTC by gibson042 comment:3

Are you referring to native DOM methods? Because ours will send every script src to jQuery.ajax.

Changed April 21, 2013 10:20PM UTC by jaubourg comment:4

We could control in the beforeSend callback that the request is not crossDomain and throw if it is. That'll at least be honest about what's actually going on and what we're able to handle coherently.

There are a lot of other, safer, better, even easier, ways to load scripts.

Changed April 21, 2013 10:43PM UTC by gibson042 comment:5

I'm not disagreeing, just pointing out that this regression affects all jQuery DOM manipulation.

Changed April 21, 2013 11:01PM UTC by jaubourg comment:6

Sure enough.

However, given we have no guarantee whatsoever regarding when cross-domain scripts would get executed, this kind of code is begging for race condition and "it fails sometimes" kinda bug reports. So I'd be in favour of going the extra mile and kill this with an exception once and for all. If someone wants to have the old behaviour, it's easy enough to override _evalUrl.

TL;DR: let's break this for real with an exception and let people handle back-compat with _evalURL.

Changed April 29, 2013 05:33PM UTC by Richard Gibson comment:7

resolution: → fixed
status: assignedclosed

Fix #13803: domManip remote-script evaluation per 1.9 (AJAX dataType "script")

Changeset: 18cccd04a6f69018242bce96ef905bc5d3be6ff8

Changed April 29, 2013 05:34PM UTC by gibson042 comment:8

milestone: None2.0.1