jquery/test/data/csp-ajax-script.js
Michał Gołębiowski-Owczarek 07a8e4a177
Ajax: Avoid CSP errors in the script transport for async requests
Until now, the AJAX script transport only used a script tag to load scripts
for cross-domain requests or ones with `scriptAttrs` set. This commit makes
it also used for all async requests to avoid CSP errors arising from usage
of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors
as it uses the AJAX script transport under the hood.

For sync requests such a change is impossible and that's what `jQuery._evalUrl`
uses. Fixing that is tracked in gh-1895.

The commit also makes other type of requests using the script tag version of the
script transport set its type to "GET", namely async scripts & ones with
`scriptAttrs` set in addition to the existing cross-domain ones.

Fixes gh-3969
Closes gh-4763
2020-08-25 21:28:30 +02:00

26 lines
442 B
JavaScript

/* global startIframeTest */
var timeoutId, type;
function finalize() {
startIframeTest( type, window.downloadedScriptCalled );
}
timeoutId = setTimeout( function() {
finalize();
}, 1000 );
jQuery
.ajax( {
url: "csp-ajax-script-downloaded.js",
dataType: "script",
method: "POST",
beforeSend: function( _jqXhr, settings ) {
type = settings.type;
}
} )
.then( function() {
clearTimeout( timeoutId );
finalize();
} );