Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ajax: Avoid CSP errors in the script transport for async requests #4763

Merged
merged 1 commit into from
Aug 25, 2020
Merged

Ajax: Avoid CSP errors in the script transport for async requests #4763

merged 1 commit into from
Aug 25, 2020

Conversation

mgol
Copy link
Member

@mgol mgol commented Jul 29, 2020
edited
Loading

Summary

Until now, the AJAX script transport only used a script tag to load scripts
for cross-domain requests or ones with scriptAttrs set. This commit makes
it also used for all async requests to avoid CSP errors arising from usage
of inline scripts. This also makes jQuery.getScript not trigger CSP errors
as it uses the AJAX script transport under the hood.

For sync requests such a change is impossible and that's what jQuery._evalUrl
uses. Fixing that is tracked in gh-1895.

The commit also makes other type of requests using the script tag version of the
script transport set its type to "GET", namely async scripts & ones with
scriptAttrs set in addition to the existing cross-domain ones.

Fixes gh-3969

Checklist

@mgol mgol added this to the 4.0.0 milestone Jul 29, 2020
@mgol mgol requested review from dmethvin, timmywil and gibson042 July 29, 2020 15:11
@mgol mgol mentioned this pull request Jul 29, 2020
Closed
@mgol mgol self-assigned this Jul 29, 2020
@mgol
Copy link
Member Author

mgol commented Jul 29, 2020

I believe this is not a breaking change. Can we include it in 3.6.0?

dmethvin
dmethvin reviewed Jul 31, 2020
View reviewed changes
Copy link
Member

@dmethvin dmethvin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One thing we do lose here is the ability to set XHR stuff like headers on a script request. I would definitely consider that a breaking change but since it's set for 4.0 it's fair game. At the moment though, there doesn't seem to be an easy way to get the old behavior back and use the old transport.

Krinkle
Krinkle reviewed Aug 17, 2020
View reviewed changes
src/ajax/script.js Outdated

// These types of requests are handled via a script tag
// so force their methods to GET.
if ( s.async || s.crossDomain || s.scriptAttrs ) {
Copy link
Member

@Krinkle Krinkle Aug 17, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you optimize this order for gzip compression? If not, I suspect placing s.crossDomain first might chop off a byte or two.

Copy link
Member Author

@mgol mgol Aug 24, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I checked various reorderings & what you propose (+ a few others) were the smallest. Smaller by... one byte compared to my original version. 😄

PR updated. +10 bytes now.

@mgol mgol added the Discuss in Meeting Reserved for Issues and PRs that anyone would like to discuss in the weekly meeting. label Aug 22, 2020
timmywil
timmywil approved these changes Aug 24, 2020
View reviewed changes
Copy link
Member

@timmywil timmywil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM pending Krinkle's comment

@mgol
Copy link
Member Author

mgol commented Aug 24, 2020

Adding the Behavior Change label per @dmethvin's comment: #4763 (review)

@mgol
Ajax: Avoid CSP errors in the script transport for async requests
0ddb0e0 
Until now, the AJAX script transport only used a script tag to load scripts
for cross-domain requests or ones with `scriptAttrs` set. This commit makes
it also used for all async requests to avoid CSP errors arising from usage
of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors
as it uses the AJAX script transport under the hood.

For sync requests such a change is impossible and that's what `jQuery._evalUrl`
uses. Fixing that is tracked in jquerygh-1895.

The commit also makes other type of requests using the script tag version of the
script transport set its type to "GET", namely async scripts & ones with
`scriptAttrs` set in addition to the existing cross-domain ones.

Fixes jquerygh-3969
@mgol mgol removed Discuss in Meeting Reserved for Issues and PRs that anyone would like to discuss in the weekly meeting. Needs review labels Aug 25, 2020
@mgol mgol merged commit 07a8e4a into jquery:master Aug 25, 2020
@mgol mgol deleted the get-script-csp branch August 25, 2020 19:28
@mgol mgol mentioned this pull request Aug 26, 2020
Merged
@rorymulcahey rorymulcahey mentioned this pull request May 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Krinkle Krinkle Krinkle left review comments

@dmethvin dmethvin dmethvin left review comments

@timmywil timmywil timmywil approved these changes

@melloware melloware melloware approved these changes

@gibson042 gibson042 Awaiting requested review from gibson042

Assignees

@mgol mgol

Labels
Ajax Behavior Change
Milestone
4.0.0
Development

Successfully merging this pull request may close these issues.

getScript requires 'unsafe-inline' CSP rule
5 participants
@mgol @Krinkle @dmethvin @timmywil @melloware