Bug Tracker

Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#13928 closed bug (notabug)

Browser extensions that load jquery will destroy an existing AMD module

Reported by: stephen.brandwood@… Owned by:
Priority: undecided Milestone: None
Component: unfiled Version: 1.7.2
Keywords: Cc:
Blocked by: Blocking:

Description

Workflow to reproduce: 1) The page loads requirejs, including jQuery, and sets up some jQuery plugins onto jQuery. 2) A browser extension loads its own version of jQuery into the page, which automatically calls define() on itself, replacing the existing jQuery with a new one, without plugins attached. 3) After some user interaction, require(jquery?) is called and picks up the incorrect version of jQuery.

The fallout of this is two-fold: 1) An unknown version of jQuery is now running on the page. 2) This version of jQuery may not have the previously-defined jQuery plugins attached to it.

The fundamental issue here is that at the end of the jQuery script it automatically registers itself as an AMD module. This is in theory a good thing, except that the majority of browser extension developers will include jQuery onto the page in new and interesting ways, without checking that they will be breaking existing jQuery functionality.

This is potentially made worse by https://github.com/jquery/jquery/pull/1150, which removes the capability to tell jQuery not to automatically define itself.

I'm hoping there is a way to configure my requirejs installation in order to fix this issue, which is incredibly subtle and liking affects many websites without them realising it.

Change History (4)

comment:1 Changed 10 years ago by anonymous

After much digging I have found that requirejs 2.1.2 quietly made a change to prevent a module from being defined twice, so I can upgrade to that in my case.

As a general problem however, is requirejs 2.1.1 no longer safe for use, given the prevalence of these browser extensions? Are other loaders still equally affected?

comment:2 Changed 10 years ago by dmethvin

Resolution: notabug
Status: newclosed

You'd need to ask the requirejs folks about their recommended best practices.

comment:3 Changed 10 years ago by stephen.brandwood@…

On the point of interacting with AMD, I expected a bit more a response, especially given the considerations that have been outlined here: https://github.com/amdjs/amdjs-api/wiki/jQuery-and-AMD and that have featured in many other discussions. - There is a certain responsibility that comes with being a hugely popular or market-leading browser, that will be used by people without perfect knowledge of the damage it can do.

The particular instance that tripped my site up was where a plugin developer had used noConflict, but had no idea that jQuery would also be doing other define() related side-effects.

Secondly is the interactions with plugins and AMD. jQuery supports plugins on it, but happily wants to re-define itself and blast those plugins away. Which is it?

Steve

comment:4 Changed 10 years ago by dmethvin

@stephen, if you have a solution that we can implement that makes everything work right with code written years ago, please let us know.

Note: See TracTickets for help on using tickets.