Commit Graph

296 Commits

Author SHA1 Message Date
Michał Gołębiowski-Owczarek
025da4dd34
Ajax: Don't auto-execute scripts unless dataType provided
PR gh-2588 made jQuery stop auto-execute cross-domain scripts unless
`dataType: "script"` was explicitly provided; this change landed in jQuery
3.0.0. This change extends that logic same-domain scripts as well.

After this change, to request a script under a provided URL to be evaluated,
you need to provide `dataType: "script` in `jQuery.ajax` options or to use
`jQuery.getScript`.

Fixes gh-4822
Closes gh-4825
Ref gh-2432
Ref gh-2588
2021-01-26 15:58:29 +01:00
Michał Gołębiowski-Owczarek
d38528b17a
Tests: Fix tests for not auto-executing scripts without dataType
Two issues are fixed in testing for responses with a script Content-Type not
getting auto-executed unless an explicit `dataType: "script"` is provided:
* the test is now using a correct "text/javascript" Content-Type; it was using
  "text/html" until now which doesn't really check if the fix works
* the Node.js based version of the tests didn't account for an empty `header`
  query string parameter

Closes gh-4824
Ref gh-2432
Ref gh-2588
Ref 39cdb8c9aa
2021-01-11 18:20:36 +01:00
Michał Gołębiowski-Owczarek
e35fb62db4
Core: Drop support for Edge Legacy (i.e. non-Chromium Microsoft Edge)
Drop support for Edge Legacy: the non-Chromium, EdgeHTML-based Microsoft
Edge version. Also, restrict some workarounds that were applied
unconditionally in all browsers to run only in IE now. This slightly
increases the size but reduces the performance burden on modern browsers
that don't need the workarounds.

Also, clean up some comments & remove some obsolete workarounds.

Fixes gh-4568
Closes gh-4792
2020-09-22 17:49:28 +02:00
Michał Gołębiowski-Owczarek
c18dc49699
Tests: Skip the "jQuery.ajax() on unload" test in Safari
The test has been already skipped in Chrome as it dropped support for such
requests and now Safari has joined the squad.

This will resolve AJAX test errors we've had for a while in Safari 13 & iOS 13.

Closes gh-4779
2020-09-02 18:04:44 +02:00
Dallas Fraser
a1e619b03a
Ajax: Execute JSONP error script responses
Issue gh-4379 was meant to be a bug fix but the JSONP case is a bit special:
under the hood it's a script but it simulates JSON responses in an environment
without a CORS setup and sending JSON payloads on error responses is quite
typical there.

This commit makes JSONP error responses still execute the payload. The regular
script error responses continue to be skipped.

Fixes gh-4771
Closes gh-4773
2020-08-25 21:41:06 +02:00
Michał Gołębiowski-Owczarek
07a8e4a177
Ajax: Avoid CSP errors in the script transport for async requests
Until now, the AJAX script transport only used a script tag to load scripts
for cross-domain requests or ones with `scriptAttrs` set. This commit makes
it also used for all async requests to avoid CSP errors arising from usage
of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors
as it uses the AJAX script transport under the hood.

For sync requests such a change is impossible and that's what `jQuery._evalUrl`
uses. Fixing that is tracked in gh-1895.

The commit also makes other type of requests using the script tag version of the
script transport set its type to "GET", namely async scripts & ones with
`scriptAttrs` set in addition to the existing cross-domain ones.

Fixes gh-3969
Closes gh-4763
2020-08-25 21:28:30 +02:00
Michał Gołębiowski-Owczarek
e7b3bc488d
Ajax: Drop the json to jsonp auto-promotion logic
Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was
automatically converted to a jsonp request unless one also specified
`jsonp: false`. Today the preferred way of interacting with a cross-domain
backend is CORS which works in all browsers jQuery 4 will support.

Auto-promoting JSON requests to JSONP ones introduces a security issue as the
developer may be unaware they're not just downloading data but executing code
from a remote domain.

This commit disables the auto-promoting logic.

BREAKING CHANGE: to trigger a JSONP request, it's now required to specify
`dataType: "jsonp"`; previously some requests with `dataType: "json"` were
auto-promoted to JSONP.

Fixes gh-1799
Fixes gh-3376
Closes gh-4754
2020-07-27 19:15:57 +02:00
Christian Wenz
7fb90a6bea
Ajax: Overwrite s.contentType with content-type header value, if any
This fixes the issue of "%20" in POST data being replaced with "+"
even for requests with content-type different from
"application/x-www-form-urlencoded", e.g. for "application/json".

Fixes gh-4119
Closes gh-4650

Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
Co-authored-by: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
2020-04-06 21:15:55 +02:00
Michał Gołębiowski-Owczarek
90fed4b453
Manipulation: Make jQuery.htmlPrefilter an identity function
Closes gh-4642
2020-03-16 21:49:29 +01:00
Michał Gołębiowski-Owczarek
0f780ba7cc
Build:Tests: Fix custom build tests, verify on Travis
This commit fixes unit tests for the following builds:

1. The no-deprecated build: `custom:-deprecated`
2. The current slim build: `custom:-ajax,-effects`
3. The future (#4553) slim build: `custom:-ajax,-callbacks,-deferred,-effects`

It also adds separate Travis jobs for the no-deprecated & slim builds. 

Closes gh-4577
2020-01-07 23:59:08 +01:00
Michał Gołębiowski-Owczarek
323575fb9b Tests: Don't test synchronous XHR on unload in Chrome
Chrome 78 dropped support for synchronous XHR requests inside of
beforeunload, unload, pagehide, and visibilitychange event handlers.
See https://bugs.chromium.org/p/chromium/issues/detail?id=952452

Closes gh-4536

(cherry picked from commit c5b48c8caa)
2019-10-28 20:43:16 +01:00
Michał Gołębiowski-Owczarek
f09d92100f
Docs: Update most URLs to HTTPS
Closes gh-4511
2019-10-21 19:03:48 +02:00
Sean Robinson
50871a5a85 Ajax: Do not execute scripts for unsuccessful HTTP responses
The script transport used to evaluate fetched script sources which is
undesirable for unsuccessful HTTP responses. This is different to other data
types where such a convention was fine (e.g. in case of JSON).

Fixes gh-4250
Closes gh-4379
2019-09-26 02:43:30 +02:00
Michał Gołębiowski-Owczarek
3527a38405
Core: Remove IE-specific support tests, rely on document.documentMode
Also, update some tests to IE-sniff when deciding whether
to skip a test.

Fixes gh-4386
Closes gh-4387
2019-05-13 21:39:56 +02:00
Michał Gołębiowski-Owczarek
cf84696fd1
Core: Drop support for IE <11, iOS <11, Firefox <65, Android Browser & PhantomJS
Also, update support comments format to match format described in:
https://github.com/jquery/contribute.jquery.org/issues/95#issuecomment-69379197
with the change from:
https://github.com/jquery/contribute.jquery.org/issues/95#issuecomment-448998379
(open-ended ranges end with `+`).

Fixes gh-3950
Fixes gh-4299
Closes gh-4347
2019-04-29 22:56:09 +02:00
Michał Gołębiowski-Owczarek
4455f8db4e
Tests: Make Android Browser 4.0-4.3 AJAX tests green
Android Browser versions provided by BrowserStack fail the "prototype collision
(constructor)" test while locally fired emulators don't, even when they connect
to TestSwarm. Just skip the test there to avoid a red build.

Closes gh-4334
2019-03-27 15:46:20 +01:00
abnud1
c349818742 Build: Update test code for compatibility with QUnit 2.x (#4297)
Also, run `grunt npmcopy` to sync the "external" directory with dependencies
from package.json. For example, the Sinon library version didn't match.

Ref gh-4234
Closes gh-4297
2019-02-18 19:03:26 +01:00
Michał Gołębiowski-Owczarek
9cb162f6b6
Tests: Exclude Android 4.x from repeated header names test
Android Browser only returns the last value for each header so there's no way
for jQuery get all parts.

Closes gh-4259
Ref gh-3403
Ref gh-4173
2018-12-14 22:06:44 +01:00
Andrei Fangli
e0d9411569 Ajax: Fix getResponseHeader(key) for IE11
- getResponseHeader(key) combines all header values for the provided key into a
single result where values are concatenated by ', '. This does not happen for
IE11 since multiple values for the same header are returned on separate lines.
This makes the function only return the last value of the header for IE11.
- Updated ajax headers test to better cover Object.prototype collisions

Close gh-4173
Fixes gh-3403
2018-11-26 12:00:41 -05:00
Richard Gibson
dfa92ccead
Tests: Allow Karma to load unminfied source
Closes gh-4128
2018-09-07 10:14:01 -04:00
Dave Methvin
dc48b11e0c squash! Set attributes all at once, src last 2018-05-14 14:09:43 -04:00
Dave Methvin
1f4375a342 Ajax: Allow custom attributes when script transport is used
Fixes gh-3028
Ref gh-2612

Useful, for example, to add `nonce`, `integrity`, or `crossorigin`.
2018-05-14 14:09:43 -04:00
Michał Gołębiowski-Owczarek
56742491bd
Tests: Disable native abort test in Android 4.0
The test works on its own when checked manually but mysteriously fails in
TestSwarm only in Android 4.0. Let's just disable it there.

Closes gh-3968
2018-02-12 19:08:36 +01:00
Jason Bedard
1ea092a54b
Core: deprecate jQuery.type
Fixes gh-3605
Close gh-3895
2018-01-16 10:39:08 -05:00
Dave Methvin
d7237896c7 Ajax: Don't process non-string data property on no-entity-body requests
Fixes gh-3438
Closes gh-3781
2018-01-15 21:48:54 -05:00
Timmy Willison
e2f192887c
Tests: only run ontimeout test if ontimeout exists
Fixes gh-3742
Close gh-3919
2018-01-08 11:46:43 -05:00
Timmy Willison
7be448d41f
Ajax: add unit test for getScript(Object)
Fixes gh-3736
Close gh-3918
2018-01-08 11:45:21 -05:00
Timo Tijhof
ecd8ddea33
Tests: Add support for running unit tests via grunt with karma
- Update QUnit to 1.23.1
- Remove unused dl#dl from test/index.html
- Remove unused map#imgmap from test/index.html
- Ensure all urls to data use baseURI
- Add the 'grunt karma:main' task
  - customContextFile & customDebugFile
- Add 'npm run jenkins' script

Close gh-3744
Fixes gh-1999
2017-12-18 12:27:38 -05:00
Erik Lax
262acc6f1e
Ajax: add an ontimeout handler to all requests
Fixes gh-3586
Close gh-3590
2017-07-24 11:44:09 -04:00
Michał Gołębiowski
731c501155 Docs:Tests: Update IE/Edge-related support comments & tests
Closes gh-3661
2017-05-15 20:37:14 +02:00
Timmy Willison
3bbcce68d7
Core: rnotwhite -> rhtmlnotwhite and jQuery.trim -> stripAndCollapse
- Renames and changes rnotwhite to focus on HTML whitespace chars
- Change internal use of jQuery.trim to more accurate strip and collapse
- Adds tests to ensure HTML space characters are retained where valid
- Doesn't add tests where the difference is inconsequential and
  existing tests are adequate.

Fixes gh-3003
Fixes gh-3072
Close gh-3316
2016-09-15 10:40:27 -04:00
Dave Methvin
cd4ad00478 Ajax: Don't mangle the URL when removing the anti-cache param
Fixes gh-3229
Closes gh-3253
2016-08-08 12:13:22 -04:00
Oleg Gaidarenko
58c6ca9822 Build: ESLint details
Use eslint pragmas, fix new errors, etc

Closes gh-3148
2016-06-11 10:41:33 +03:00
Dave Methvin
df2051cf59 Ajax: Ensure ajaxSettings.traditional is still honored
Fixes gh-3023
Closes gh-3081

Since .param() no longer looks at this setting we need unit tests
to ensure it is still honored by $.ajax().
2016-04-27 09:06:43 -04:00
Dave Methvin
e5ffcb0838 Tests: Refactor testIframe() to make it DRYer and more consistent
Ref gh-3040
Closes gh-3049
2016-04-11 13:32:51 -04:00
Oleg Gaidarenko
5d20a3c3f1 Ajax: execute jQuery#load callback with correct context
Thanks @blq (Fredrik Blomqvist)

Fixes gh-3035
Close gh-3039
2016-04-04 16:22:35 -04:00
Michał Gołębiowski
9b086888b8 Docs:Tests: Remove obsolete code from tests, update support comments
Support comments that were lacking the final IE/Edge version that exhibits
the bug were checked & updated. Links to the Chromium bug tracker were updated.
Code in tests related to unsupported browsers (like Android 2.3 in non-basic
tests) has been removed.

Fixes gh-2868
Closes gh-2949
2016-03-08 23:26:46 +01:00
Michał Gołębiowski
93a8fa6bfc Core: Deprecate jQuery.parseJSON
Fixes gh-2800
Closes gh-2948
2016-03-02 13:12:35 +01:00
Josh Soref
aae44111e2 Docs: Fix various spelling errors
Closes gh-2761
2016-01-13 13:11:11 -05:00
Dave Methvin
e077ffb083 Ajax: Preserve URL hash on requests
Fixes gh-1732
Closes gh-2721
2015-11-30 19:55:50 -05:00
Dave Methvin
769446c697 Ajax: Don't throw exceptions on binary data response
Fixes gh-2498
Closes gh-2682

The added unit test shows how this could be used to support an
ArrayBuffer return, but $.ajax does not support it natively.
The goal with this change was to avoid the exception.
2015-11-04 12:47:16 -05:00
Timmy Willison
76e9a95dbe Ajax: trigger error callback on native abort
- IE9 does not have onabort. Use onreadystatechange instead.

Fixes gh-2079
Close gh-2684
2015-11-03 12:34:04 -05:00
Dave Methvin
70605c8e56 Ajax: Only form-encode requests with a body
Fixes #2658
Closes #2671
2015-11-02 13:14:46 -05:00
Richard Gibson
5b554cf04e Tests: Use standard external domain name
Ref 01c360f963

(cherry picked from commit 3680689165)
2015-10-23 11:56:29 -04:00
Oleg Gaidarenko
39cdb8c9aa Ajax: don't expect cross-origin tests run in envs which not support it
Follow-up to b078a62013
2015-10-13 00:00:38 +03:00
Oleg Gaidarenko
239169bb2e Ajax: improve content-type detection
Fixes gh-2584
Closes gh-2643
2015-10-12 22:38:15 +03:00
Oleg Gaidarenko
b078a62013 Ajax: Mitigate possible XSS vulnerability
Proposed by @jaubourg

Fixes gh-2432
Closes gh-2588
2015-10-12 17:05:18 +03:00
Oleg Gaidarenko
c8d15a2f9f Tests: further improvements QUnit 2.0 migration
* Remove QUnit jshint globals
* Extend QUnit.assert methods
* Use assert.async instead of start/stop/done

Ref b930d14ce6
2015-09-08 04:06:20 +03:00
Oleg Gaidarenko
10fdad742a Build: Update jscs and lint files
Fixes gh-2056
2015-09-07 20:03:50 +03:00
Oleg Gaidarenko
b930d14ce6 Tests: partially use new qunit interface
http://qunitjs.com/upgrade-guide-2.x/

For most of the boring work was used
https://github.com/apsdehal/qunit-migrate package

However, it can't update local qunit helpers, plus in some places
old QUnit.asyncTest signature is still used

Fixes gh-2540
2015-08-16 09:02:01 +03:00