Skip to content

Commit 68b4ec5

Browse files
mgolmgol
authored
Ajax: Make responseJSON work for erroneous same-domain JSONP requests
Don't use a script tag for JSONP requests unless for cross-domain requests or if scriptAttrs are provided. This makes the `responseJSON` property available in JSONP error callbacks. This fixes a regression from jQuery 3.5.0 introduced in gh-4379 which made erroneous script responses to not be executed to follow native behavior. The 3.x-stable branch doesn't need this fix as it doesn't use script tags for regular async requests. Closes gh-4778 Ref gh-4771 Ref gh-4773 Ref gh-4379
1 parent 1a5fff4 commit 68b4ec5

File tree

1 file changed

+18
-5
lines changed

1 file changed

+18
-5
lines changed

src/ajax/script.js

Lines changed: 18 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,22 @@ import document from "../var/document.js";
33

44
import "../ajax.js";
55

6+
function canUseScriptTag( s ) {
7+
8+
// A script tag can only be used for async, cross domain or forced-by-attrs requests.
9+
// Sync requests remain handled differently to preserve strict script ordering.
10+
return s.crossDomain || s.scriptAttrs ||
11+
12+
// When dealing with JSONP (`s.dataTypes` include "json" then)
13+
// don't use a script tag so that error responses still may have
14+
// `responseJSON` set. Continue using a script tag for JSONP requests that:
15+
// * are cross-domain as AJAX requests won't work without a CORS setup
16+
// * have `scriptAttrs` set as that's a script-only functionality
17+
// Note that this means JSONP requests violate strict CSP script-src settings.
18+
// A proper solution is to migrate from using JSONP to a CORS setup.
19+
( s.async && jQuery.inArray( "json", s.dataTypes ) < 0 );
20+
}
21+
622
// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
723
jQuery.ajaxPrefilter( function( s ) {
824
if ( s.crossDomain ) {
@@ -35,17 +51,14 @@ jQuery.ajaxPrefilter( "script", function( s ) {
3551

3652
// These types of requests are handled via a script tag
3753
// so force their methods to GET.
38-
if ( s.crossDomain || s.async || s.scriptAttrs ) {
54+
if ( canUseScriptTag( s ) ) {
3955
s.type = "GET";
4056
}
4157
} );
4258

4359
// Bind script tag hack transport
4460
jQuery.ajaxTransport( "script", function( s ) {
45-
46-
// This transport only deals with async, cross domain or forced-by-attrs requests.
47-
// Sync requests remain handled differently to preserve strict script ordering.
48-
if ( s.crossDomain || s.async || s.scriptAttrs ) {
61+
if ( canUseScriptTag( s ) ) {
4962
var script, callback;
5063
return {
5164
send: function( _, complete ) {

0 commit comments

Comments
 (0)