Ajax: Allow custom attributes when script transport is used

Fixes gh-3028
Ref gh-2612

Useful, for example, to add `nonce`, `integrity`, or `crossorigin`.

src/ajax/script.js

@@ -43,15 +43,15 @@ jQuery.ajaxPrefilter( "script", function( s ) {
 // Bind script tag hack transport
 jQuery.ajaxTransport( "script", function( s ) {
 
-	// This transport only deals with cross domain requests
-	if ( s.crossDomain ) {
+	// This transport only deals with cross domain or forced-by-attrs requests
+	if ( s.crossDomain || s.scriptAttrs ) {
 		var script, callback;
 		return {
 			send: function( _, complete ) {
 				script = jQuery( "<script>" ).prop( {
 					charset: s.scriptCharset,
 					src: s.url
-				} ).on(
+				} ).attr( s.scriptAttrs || {} ).on(
 					"load error",
 					callback = function( evt ) {
 						script.remove();

test/unit/ajax.js

@@ -89,6 +89,29 @@ QUnit.module( "ajax", {
 		}
 	);
 
+	ajaxTest( "jQuery.ajax() - custom attributes for script tag", 4,
+		function( assert ) {
+			var nonceValue = "0123456789";
+			return {
+				create: function( options ) {
+					var xhr;
+					options.dataType = "script";
+					options.scriptAttrs = { id: "jquery-ajax-test", nonce: nonceValue };
+					xhr = jQuery.ajax( url( "data/script.php?header=ecma" ), options );
+					// Ensure the script tag has the nonce attr on it
+					assert.ok( nonceValue === jQuery( "#jquery-ajax-test" ).attr( "nonce" ), "nonce value" );
+					return xhr;
+				},
+				success: function() {
+					assert.ok( true, "success" );
+				},
+				complete: function() {
+					assert.ok( true, "complete" );
+				}
+			};
+		}
+	);
+
 	ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
 		return {
 			create: function( options ) {