Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support ajax script attributes (e.g. for SRI or CSP) #3028

Closed
jonathanKingston opened this Issue Mar 30, 2016 · 6 comments

Comments

Projects
None yet
6 participants
@jonathanKingston
Copy link

commented Mar 30, 2016

@razamirza mentioned here: jquery/codeorigin.jquery.com#20 (comment)

Is there any plan to add support for SRI to jQuery.getScript()? http://api.jquery.com/jQuery.getScript/

I think it would be worth considering adding support to check a script on the outside, however probably this is worthy of an extension until all browsers support fetch+SRI/WebCrypto natively.

@dmethvin

This comment has been minimized.

Copy link
Member

commented Mar 30, 2016

We recently got a similar request for CSP nonces in #2612 but the submitter went dark. Rather than trying to support all these individually and then needing to verify they each work across all browsers, maybe we could just treat this like headers and give $.ajax a general way to put attributes in the script tag.

@razamirza

This comment has been minimized.

Copy link

commented Mar 30, 2016

If my request wasn't clear, here is the exact scenario. We use jQuery.getScript() to get script from third party CDNs, and want to check for the integrity of script, so we need something like:

jQuery.getScript( url [, hash, backupPath ] )

I'm relatively new to js, but no reason why I can't chip in.

@dmethvin

This comment has been minimized.

Copy link
Member

commented Apr 8, 2016

I'd prefer we just add options to jQuery.ajax() that let you set attributes on the tag before it is added to the DOM. So something like this:

$.ajax({
  dataType: "script",
  url: "https://some/path",
  attrs: { nonce: "EDNnf03nceIOfn39fn3e9h3sdfa" },
});

which would inject a tag like:

<script nonce="EDNnf03nceIOfn39fn3e9h3sdfa" src="https://some/path">

I suppose we could have jQuery.getScript( url, [, attrs] [, success] ) as well. The implementation would end up mapping any jQuery.getScript() call into jQuery.ajax() anyway since this additional information has to make it all the way to the script transport.

@timmywil timmywil added this to the 3.2.0 milestone Jun 30, 2016

@dmethvin dmethvin self-assigned this Sep 26, 2016

@markelog

This comment has been minimized.

Copy link
Member

commented Oct 31, 2016

attrs attribute would be useless if dataType is not script correct?

@dmethvin

This comment has been minimized.

Copy link
Member

commented Oct 31, 2016

@markelog Yes, unfortunately it's another transport-specific setting. It would be ignored by transports that didn't need it such as XHR.

@timmywil timmywil modified the milestones: 3.3.0, 3.2.0 Mar 6, 2017

@gibson042 gibson042 added the Ajax label Jul 31, 2017

dmethvin added a commit to dmethvin/jquery that referenced this issue Sep 12, 2017

Ajax: Allow custom attributes when script transport is used
Fixes jquerygh-3028
Ref jquerygh-2612

Useful, for example, to add `nonce`, `integrity`, or `crossorigin`.

@timmywil timmywil modified the milestones: 3.3.0, 3.4.0 Nov 13, 2017

dmethvin added a commit to dmethvin/jquery that referenced this issue Mar 8, 2018

Ajax: Allow custom attributes when script transport is used
Fixes jquerygh-3028
Ref jquerygh-2612

Useful, for example, to add `nonce`, `integrity`, or `crossorigin`.
@dmethvin

This comment has been minimized.

Copy link
Member

commented Mar 8, 2018

Based on the way the PR is implemented, if scriptAttrs is set it will cause a script request to use a script tag, even if it's not cross-domain. The list of attrs can be empty.

@dmethvin dmethvin changed the title Consider supporting SRI in getScript Support custom script attributes (e.g. for SRI or CSP) Apr 4, 2018

@dmethvin dmethvin changed the title Support custom script attributes (e.g. for SRI or CSP) Support ajax script attributes (e.g. for SRI or CSP) Apr 4, 2018

dmethvin added a commit that referenced this issue May 14, 2018

Ajax: Allow custom attributes when script transport is used
Fixes gh-3028
Ref gh-2612

Useful, for example, to add `nonce`, `integrity`, or `crossorigin`.

@lock lock bot locked as resolved and limited conversation to collaborators Nov 10, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.