jQuery does not respect the crossOrigin attribute on the script tag

[gaohuia]

Don't know if it is a new issue for you, I just met it in our site.

Description

Just look at the following HTML code. There are two script tags in the page, one is statically written and the other is added by jQuery. And they are almost the same except a small difference on the src.

Steps:

1. Put this page on a html server, and get a link to that page.
2. Open your browser, I used chrome v78.
3. New tab and press F12 to open the dev tool.
4. Change to the Network tab.
5. Open the link you got in 1st step.
6. Observe the network.

Expect: Both jquery-3.4.1.min.js && jquery-3.4.1.min.js?cors should be issued with the http header "Origin"
Result: Only jquery-3.4.1.min.js is issued with the "Origin" header, the other one is not.

When this issue happened, the browser caches the response of jquery-3.4.1.min.js?cors which has no CORS headers. And if other pages use this script with SRI, it will be blocked. Because it matches the cache but the cache does not contain a CORS header like "Access-Control-Allow-Origin".

<!doctype html>
<html lang="en">
<head>
    <script src="https://code.jquery.com/jquery-3.4.1.min.js" crossorigin="anonymous"></script>
    <script>
        $(function(){
            $("#container").html('<script src="//code.jquery.com/jquery-3.4.1.min.js?cors" crossorigin="anonymous" ><\/script>');
            alert('done');
        });
    </script>

</head>
<body>
    <div id="container"></div>
</body>
</html>

[mgol]

It seems we might just need to add support for the crossOrigin property on script elements to src/core/DOMEval.js#L3-L8. If possible, we should also write an iframe test that ensures this fixes the issue you mention.

Would you like to try to submit a PR for that?

[gaohuia]

It seems to be related with the transport of "script".
I'll try to make a PR later.

[timmywil]

Moving to 4.0 as this is a breaking change.