Ajax: Don't auto-execute scripts unless dataType provided

PR gh-2588 made jQuery stop auto-execute cross-domain scripts unless `dataType: "script"` was explicitly provided; this change landed in jQuery 3.0.0. This change extends that logic same-domain scripts as well. After this change, to request a script under a provided URL to be evaluated, you need to provide `dataType: "script` in `jQuery.ajax` options or to use `jQuery.getScript`. Fixes gh-4822 Closes gh-4825 Ref gh-2432 Ref gh-2588
jquery · Jan 26, 2021 · 025da4d · 025da4d
1 parent a32cf63
commit 025da4d
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 59 deletions.
diff --git a/src/ajax/script.js b/src/ajax/script.js
@@ -19,22 +19,13 @@ function canUseScriptTag( s ) {
 		( s.async && jQuery.inArray( "json", s.dataTypes ) < 0 );
 }
 
-// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
-jQuery.ajaxPrefilter( function( s ) {
-	if ( s.crossDomain ) {
-		s.contents.script = false;
-	}
-} );
-
-// Install script dataType
+// Install script dataType. Don't specify `content.script` so that an explicit
+// `dataType: "script"` is required (see gh-2432, gh-4822)
 jQuery.ajaxSetup( {
 	accepts: {
 		script: "text/javascript, application/javascript, " +
 			"application/ecmascript, application/x-ecmascript"
 	},
-	contents: {
-		script: /\b(?:java|ecma)script\b/
-	},
 	converters: {
 		"text script": function( text ) {
 			jQuery.globalEval( text );

diff --git a/test/unit/ajax.js b/test/unit/ajax.js
@@ -71,13 +71,20 @@ QUnit.module( "ajax", {
 		};
 	} );
 
-	ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3,
+	ajaxTest( "jQuery.ajax() - custom attributes for script tag", 5,
 		function( assert ) {
 			return {
 				create: function( options ) {
-					options.crossDomain = true;
+					var xhr;
+					options.method = "POST";
 					options.dataType = "script";
-					return jQuery.ajax( url( "mock.php?action=script&header=ecma" ), options );
+					options.scriptAttrs = { id: "jquery-ajax-test", async: "async" };
+					xhr = jQuery.ajax( url( "mock.php?action=script" ), options );
+					assert.equal( jQuery( "#jquery-ajax-test" ).attr( "async" ), "async", "attr value" );
+					return xhr;
+				},
+				beforeSend: function( _jqXhr, settings ) {
+					assert.strictEqual( settings.type, "GET", "Type changed to GET" );
 				},
 				success: function() {
 					assert.ok( true, "success" );
@@ -89,20 +96,13 @@ QUnit.module( "ajax", {
 		}
 	);
 
-	ajaxTest( "jQuery.ajax() - custom attributes for script tag", 5,
+	ajaxTest( "jQuery.ajax() - execute JS when dataType option is provided", 3,
 		function( assert ) {
 			return {
 				create: function( options ) {
-					var xhr;
-					options.method = "POST";
+					options.crossDomain = true;
 					options.dataType = "script";
-					options.scriptAttrs = { id: "jquery-ajax-test", async: "async" };
-					xhr = jQuery.ajax( url( "mock.php?action=script" ), options );
-					assert.equal( jQuery( "#jquery-ajax-test" ).attr( "async" ), "async", "attr value" );
-					return xhr;
-				},
-				beforeSend: function( _jqXhr, settings ) {
-					assert.strictEqual( settings.type, "GET", "Type changed to GET" );
+					return jQuery.ajax( url( "mock.php?action=script&header=ecma" ), options );
 				},
 				success: function() {
 					assert.ok( true, "success" );
@@ -114,22 +114,16 @@ QUnit.module( "ajax", {
 		}
 	);
 
-	ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
-		return {
-			create: function( options ) {
-				options.crossDomain = true;
-				return jQuery.ajax( url( "mock.php?action=script&header" ), options );
-			},
-			success: function() {
-				assert.ok( true, "success" );
-			},
-			fail: function() {
-				assert.ok( false, "fail" );
-			},
-			complete: function() {
-				assert.ok( true, "complete" );
-			}
-		};
+	jQuery.each( [ " - Same Domain", " - Cross Domain" ], function( crossDomain, label ) {
+		ajaxTest( "jQuery.ajax() - do not execute JS (gh-2432, gh-4822) " + label, 1, function( assert ) {
+			return {
+				url: url( "mock.php?action=script&header" ),
+				crossDomain: crossDomain,
+				success: function() {
+					assert.ok( true, "success" );
+				}
+			};
+		} );
 	} );
 
 	ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) {
@@ -1439,25 +1433,6 @@ QUnit.module( "ajax", {
 		};
 	} );
 
-	ajaxTest( "jQuery.ajax() - script by content-type", 2, function() {
-		return [
-			{
-				url: baseURL + "mock.php?action=script",
-				data: {
-					"header": "script"
-				},
-				success: true
-			},
-			{
-				url: baseURL + "mock.php?action=script",
-				data: {
-					"header": "ecma"
-				},
-				success: true
-			}
-		];
-	} );
-
 	ajaxTest( "jQuery.ajax() - JSON by content-type", 5, function( assert ) {
 		return {
 			url: baseURL + "mock.php?action=json",