Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support ajax script attributes (e.g. for SRI or CSP) #3028

Closed
jonathanKingston opened this issue Mar 30, 2016 · 6 comments
Closed

Support ajax script attributes (e.g. for SRI or CSP) #3028

jonathanKingston opened this issue Mar 30, 2016 · 6 comments

Comments

@jonathanKingston
Copy link

@jonathanKingston jonathanKingston commented Mar 30, 2016

@razamirza mentioned here: jquery/codeorigin.jquery.com#20 (comment)

Is there any plan to add support for SRI to jQuery.getScript()? http://api.jquery.com/jQuery.getScript/

I think it would be worth considering adding support to check a script on the outside, however probably this is worthy of an extension until all browsers support fetch+SRI/WebCrypto natively.

@dmethvin
Copy link
Member

@dmethvin dmethvin commented Mar 30, 2016

We recently got a similar request for CSP nonces in #2612 but the submitter went dark. Rather than trying to support all these individually and then needing to verify they each work across all browsers, maybe we could just treat this like headers and give $.ajax a general way to put attributes in the script tag.

@razamirza
Copy link

@razamirza razamirza commented Mar 30, 2016

If my request wasn't clear, here is the exact scenario. We use jQuery.getScript() to get script from third party CDNs, and want to check for the integrity of script, so we need something like:

jQuery.getScript( url [, hash, backupPath ] )

I'm relatively new to js, but no reason why I can't chip in.

@dmethvin
Copy link
Member

@dmethvin dmethvin commented Apr 8, 2016

I'd prefer we just add options to jQuery.ajax() that let you set attributes on the tag before it is added to the DOM. So something like this:

$.ajax({
  dataType: "script",
  url: "https://some/path",
  attrs: { nonce: "EDNnf03nceIOfn39fn3e9h3sdfa" },
});

which would inject a tag like:

<script nonce="EDNnf03nceIOfn39fn3e9h3sdfa" src="https://some/path">

I suppose we could have jQuery.getScript( url, [, attrs] [, success] ) as well. The implementation would end up mapping any jQuery.getScript() call into jQuery.ajax() anyway since this additional information has to make it all the way to the script transport.

@timmywil timmywil added this to the 3.2.0 milestone Jun 30, 2016
@dmethvin dmethvin self-assigned this Sep 26, 2016
@markelog
Copy link
Member

@markelog markelog commented Oct 31, 2016

attrs attribute would be useless if dataType is not script correct?

@dmethvin
Copy link
Member

@dmethvin dmethvin commented Oct 31, 2016

@markelog Yes, unfortunately it's another transport-specific setting. It would be ignored by transports that didn't need it such as XHR.

@timmywil timmywil modified the milestones: 3.3.0, 3.2.0 Mar 6, 2017
@gibson042 gibson042 added the Ajax label Jul 31, 2017
dmethvin added a commit to dmethvin/jquery that referenced this issue Sep 12, 2017
Fixes jquerygh-3028
Ref jquerygh-2612

Useful, for example, to add `nonce`, `integrity`, or `crossorigin`.
@timmywil timmywil modified the milestones: 3.3.0, 3.4.0 Nov 13, 2017
dmethvin added a commit to dmethvin/jquery that referenced this issue Mar 8, 2018
Fixes jquerygh-3028
Ref jquerygh-2612

Useful, for example, to add `nonce`, `integrity`, or `crossorigin`.
@dmethvin
Copy link
Member

@dmethvin dmethvin commented Mar 8, 2018

Based on the way the PR is implemented, if scriptAttrs is set it will cause a script request to use a script tag, even if it's not cross-domain. The list of attrs can be empty.

@dmethvin dmethvin changed the title Consider supporting SRI in getScript Support custom script attributes (e.g. for SRI or CSP) Apr 4, 2018
@dmethvin dmethvin changed the title Support custom script attributes (e.g. for SRI or CSP) Support ajax script attributes (e.g. for SRI or CSP) Apr 4, 2018
dmethvin added a commit that referenced this issue May 14, 2018
Fixes gh-3028
Ref gh-2612

Useful, for example, to add `nonce`, `integrity`, or `crossorigin`.
@lock lock bot locked as resolved and limited conversation to collaborators Nov 10, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

6 participants