jQuery ajax automatically evaluates (runs) script file #4822
Comments
|
In case anyone else stumbles upon this problem, the solution I found was to take down the nasty converter of course (after one hour of searching the code ... ): jQuery.ajaxSettings.contents.script = false; |
mgol
added
the
Discuss in Meeting
mgol
changed the title
timmywil
removed
the
Discuss in Meeting
|
We've decided to make this change and align with the default behavior for cross-origin scripts in 4.0. |
PR jquerygh-2588 made jQuery stop auto-execute cross-domain scripts unless `dataType: "script"` was explicitly provided; this change landed in jQuery 3.0.0. This change extends that logic same-domain scripts as well. After this change, to req uest a script under a provided URL to be evaluated, you need to provide `dataType: "script` in `jQuery.ajax` options or to use `jQuery.getScript`. Fixes jquerygh-4822 Ref jquerygh-2432 Ref jquerygh-2588
|
First of all, I would like to say a greatly thank you to all of you working on the library of jQuery (what would we do without it), |
|
@alexNecroJack Thank you for the issue! Always nice to hear someone appreciates our work. I think all devs can relate to the feeling of not finishing something in the expected time, but you didn't come off as an ass to me. |
PR jquerygh-2588 made jQuery stop auto-execute cross-domain scripts unless `dataType: "script"` was explicitly provided; this change landed in jQuery 3.0.0. This change extends that logic same-domain scripts as well. After this change, to request a script under a provided URL to be evaluated, you need to provide `dataType: "script` in `jQuery.ajax` options or to use `jQuery.getScript`. Fixes jquerygh-4822 Ref jquerygh-2432 Ref jquerygh-2588
PR gh-2588 made jQuery stop auto-execute cross-domain scripts unless `dataType: "script"` was explicitly provided; this change landed in jQuery 3.0.0. This change extends that logic same-domain scripts as well. After this change, to request a script under a provided URL to be evaluated, you need to provide `dataType: "script` in `jQuery.ajax` options or to use `jQuery.getScript`. Fixes gh-4822 Closes gh-4825 Ref gh-2432 Ref gh-2588
What do you expect to happen?
When I fetch a JavaScript file with jQuery, for example with $.get(...) I do NOT expect it to run on load. *
I expect to get my data as a string (unless specified otherwise).
What actually happens?
When I fetch a JavaScript file with $.get(...) from THE SAME domain *** , then the script is auto-evaluated.
Which means the jQuery converted set in jQuery.ajaxSettings.converters['text script'] jumps into place,
and does ugly things, it actually runs the JavaScript code in the file.... while running the code of $.get(...) ...
* Since this "auto-run" functionality which is accompliced with eval** is not stated in the documentation, I suppose
no-one else expects it to happen either.
*** because hey, someone thought we should consider security and prevented auto-runing cors scripts,
and thus I can not setup an example online...
The code preventing it is this bellow, and as you can see, it already hints: "auto-execution of scripts",
which should not be part or a simple $.get(...) request...
About conversions making sense
because when I actually come to use my data, I will need them as javascript objects.
unless we were to run it... And who would need javascript files to be run on fetch, since at fetch time,
it is jQuery code, which means code execution is way before we come to the point of using -with our own code-
that which was fetched (the javascript code)...
Link to test case
https://jsfiddle.net/a3quxb24/1/
Take a not though, as I said before the only way to stumble upon this "auto-run" js on file fetch is to have the js file
in the same domain where the $.get is executed.
And since the test code and the javascript file can not be in the same domain in my example
(To my knowledge, nor JSFiddle, Codepen or JSBin allow you to upload your own pure js file)
therefor the only way to see the bug in action, is to place a breakpoint in line 10123 in the jQuery file in JSFiddle (jquery-3.5.1.js),
turn s.crossDomain to false (in order not to disable the converted) and right after the
if(s.crossDomain)is skippedturn s.crossDomain back to true (in order for the request to be completed without errors).
And that is it! You will see how the script executes on it's own, with globalEvaluate.
Some might argue this is a feature.
But I disagree:
doing things
is not a thing to do.
it makes perfect sense that a javascript file fetched should be nailed to my html page, because.. you never know, you might need it right now...
It makes no sense.
The text was updated successfully, but these errors were encountered: