Skip to main content

Bug Tracker

Side navigation

#13928 closed bug (notabug)

Opened May 23, 2013 10:56AM UTC

Closed May 23, 2013 02:20PM UTC

Last modified May 27, 2013 09:14PM UTC

Browser extensions that load jquery will destroy an existing AMD module

Reported by: stephen.brandwood@gmail.com Owned by:
Priority: undecided Milestone: None
Component: unfiled Version: 1.7.2
Keywords: Cc:
Blocked by: Blocking:
Description

Workflow to reproduce:

1) The page loads requirejs, including jQuery, and sets up some jQuery plugins onto jQuery.

2) A browser extension loads its own version of jQuery into the page, which automatically calls define() on itself, replacing the existing jQuery with a new one, without plugins attached.

3) After some user interaction, require(['jquery']) is called and picks up the incorrect version of jQuery.

The fallout of this is two-fold:

1) An unknown version of jQuery is now running on the page.

2) This version of jQuery may not have the previously-defined jQuery plugins attached to it.

The fundamental issue here is that at the end of the jQuery script it automatically registers itself as an AMD module. This is in theory a good thing, except that the majority of browser extension developers will include jQuery onto the page in new and interesting ways, without checking that they will be breaking existing jQuery functionality.

This is potentially made worse by https://github.com/jquery/jquery/pull/1150, which removes the capability to tell jQuery not to automatically define itself.

I'm hoping there is a way to configure my requirejs installation in order to fix this issue, which is incredibly subtle and liking affects many websites without them realising it.

Attachments (0)
Change History (4)

Changed May 23, 2013 12:26PM UTC by anonymous comment:1

After much digging I have found that requirejs 2.1.2 quietly made a change to prevent a module from being defined twice, so I can upgrade to that in my case.

As a general problem however, is requirejs 2.1.1 no longer safe for use, given the prevalence of these browser extensions? Are other loaders still equally affected?

Changed May 23, 2013 02:20PM UTC by dmethvin comment:2

resolution: → notabug
status: newclosed

You'd need to ask the requirejs folks about their recommended best practices.

Changed May 27, 2013 09:10PM UTC by stephen.brandwood@gmail.com comment:3

On the point of interacting with AMD, I expected a bit more a response, especially given the considerations that have been outlined here: https://github.com/amdjs/amdjs-api/wiki/jQuery-and-AMD and that have featured in many other discussions. - There is a certain responsibility that comes with being a hugely popular or market-leading browser, that will be used by people without perfect knowledge of the damage it can do.

The particular instance that tripped my site up was where a plugin developer had used noConflict, but had no idea that jQuery would also be doing other define() related side-effects.

Secondly is the interactions with plugins and AMD. jQuery supports plugins on it, but happily wants to re-define itself and blast those plugins away. Which is it?

Steve

Changed May 27, 2013 09:14PM UTC by dmethvin comment:4

@stephen, if you have a solution that we can implement that makes everything work right with code written years ago, please let us know.