jquery/test/data/csp-ajax-script.html
Michał Gołębiowski-Owczarek 07a8e4a177
Ajax: Avoid CSP errors in the script transport for async requests
Until now, the AJAX script transport only used a script tag to load scripts
for cross-domain requests or ones with `scriptAttrs` set. This commit makes
it also used for all async requests to avoid CSP errors arising from usage
of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors
as it uses the AJAX script transport under the hood.

For sync requests such a change is impossible and that's what `jQuery._evalUrl`
uses. Fixing that is tracked in gh-1895.

The commit also makes other type of requests using the script tag version of the
script transport set its type to "GET", namely async scripts & ones with
`scriptAttrs` set in addition to the existing cross-domain ones.

Fixes gh-3969
Closes gh-4763
2020-08-25 21:28:30 +02:00

14 lines
347 B
HTML

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>jQuery.ajax() - script, CSP script-src compat (gh-3969)</title>
<script src="../jquery.js"></script>
<script src="iframeTest.js"></script>
<script src="csp-ajax-script.js"></script>
</head>
<body>
<p>CSP Test Page</p>
</body>
</html>