Description
What do you expect to happen?
When I fetch a JavaScript file with jQuery, for example with $.get(...) I do NOT expect it to run on load. *
I expect to get my data as a string (unless specified otherwise).
What actually happens?
When I fetch a JavaScript file with $.get(...) from THE SAME domain *** , then the script is auto-evaluated.
Which means the jQuery converted set in jQuery.ajaxSettings.converters['text script'] jumps into place,
and does ugly things, it actually runs the JavaScript code in the file.... while running the code of $.get(...) ...
* Since this "auto-run" functionality which is accompliced with eval** is not stated in the documentation, I suppose
no-one else expects it to happen either.
** converters: {
"text script": function( text ) {
jQuery.globalEval( text );
return text;
}
}*** because hey, someone thought we should consider security and prevented auto-runing cors scripts,
and thus I can not setup an example online...
The code preventing it is this bellow, and as you can see, it already hints: "auto-execution of scripts",
which should not be part or a simple $.get(...) request...
// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
jQuery.ajaxPrefilter( function( s ) {
if ( s.crossDomain ) {
s.contents.script = false;
}
} );About conversions making sense
- It's expected that when the file is json, I would need my data parsed, so a converter was added there,
because when I actually come to use my data, I will need them as javascript objects. - But with a Javascript file, we can't have javascript in any other more useful form than string,
unless we were to run it... And who would need javascript files to be run on fetch, since at fetch time,
it is jQuery code, which means code execution is way before we come to the point of using -with our own code-
that which was fetched (the javascript code)...
Link to test case
https://jsfiddle.net/a3quxb24/1/
Take a not though, as I said before the only way to stumble upon this "auto-run" js on file fetch is to have the js file
in the same domain where the $.get is executed.
And since the test code and the javascript file can not be in the same domain in my example
(To my knowledge, nor JSFiddle, Codepen or JSBin allow you to upload your own pure js file)
therefor the only way to see the bug in action, is to place a breakpoint in line 10123 in the jQuery file in JSFiddle (jquery-3.5.1.js),
turn s.crossDomain to false (in order not to disable the converted) and right after the if(s.crossDomain) is skipped
turn s.crossDomain back to true (in order for the request to be completed without errors).
And that is it! You will see how the script executes on it's own, with globalEvaluate.
Some might argue this is a feature.
But I disagree:
doing things
- you are not requested
- not stated in Documentation
- and which are not absolutely logical (and therefor expected)
is not a thing to do.
- I want to load a javascript file as string/text. Oh, yeah, it makes perfect sense, I have to disable a converter...
- Or, I want to load a javascript file in my document, and have it executed. Wait, don't do anything, just fetch it,
it makes perfect sense that a javascript file fetched should be nailed to my html page, because.. you never know, you might need it right now...
It makes no sense.