mirror of
https://github.com/jquery/jquery.git
synced 2024-12-09 08:04:24 +00:00
07a8e4a177
Until now, the AJAX script transport only used a script tag to load scripts for cross-domain requests or ones with `scriptAttrs` set. This commit makes it also used for all async requests to avoid CSP errors arising from usage of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors as it uses the AJAX script transport under the hood. For sync requests such a change is impossible and that's what `jQuery._evalUrl` uses. Fixing that is tracked in gh-1895. The commit also makes other type of requests using the script tag version of the script transport set its type to "GET", namely async scripts & ones with `scriptAttrs` set in addition to the existing cross-domain ones. Fixes gh-3969 Closes gh-4763
26 lines
442 B
JavaScript
26 lines
442 B
JavaScript
/* global startIframeTest */
|
|
|
|
var timeoutId, type;
|
|
|
|
function finalize() {
|
|
startIframeTest( type, window.downloadedScriptCalled );
|
|
}
|
|
|
|
timeoutId = setTimeout( function() {
|
|
finalize();
|
|
}, 1000 );
|
|
|
|
jQuery
|
|
.ajax( {
|
|
url: "csp-ajax-script-downloaded.js",
|
|
dataType: "script",
|
|
method: "POST",
|
|
beforeSend: function( _jqXhr, settings ) {
|
|
type = settings.type;
|
|
}
|
|
} )
|
|
.then( function() {
|
|
clearTimeout( timeoutId );
|
|
finalize();
|
|
} );
|