Skip to content

/ jquery

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support ajax script attributes (e.g. for SRI or CSP) #3028

Closed
jonathanKingston opened this issue Mar 30, 2016 · 6 comments
Closed

Support ajax script attributes (e.g. for SRI or CSP) #3028

jonathanKingston opened this issue Mar 30, 2016 · 6 comments
Assignees
@dmethvin
Labels
Ajax Blocker Has Pull Request
Milestone
3.4.0

Comments

@jonathanKingston
Copy link

@jonathanKingston jonathanKingston commented Mar 30, 2016

@razamirza mentioned here: jquery/codeorigin.jquery.com#20 (comment)

Is there any plan to add support for SRI to jQuery.getScript()? http://api.jquery.com/jQuery.getScript/

I think it would be worth considering adding support to check a script on the outside, however probably this is worthy of an extension until all browsers support fetch+SRI/WebCrypto natively.
@jonathanKingston jonathanKingston mentioned this issue Mar 30, 2016
Closed
@dmethvin
Copy link
Member

@dmethvin dmethvin commented Mar 30, 2016

We recently got a similar request for CSP nonces in #2612 but the submitter went dark. Rather than trying to support all these individually and then needing to verify they each work across all browsers, maybe we could just treat this like headers and give $.ajax a general way to put attributes in the script tag.
@razamirza
Copy link

@razamirza razamirza commented Mar 30, 2016

If my request wasn't clear, here is the exact scenario. We use jQuery.getScript() to get script from third party CDNs, and want to check for the integrity of script, so we need something like:

jQuery.getScript( url [, hash, backupPath ] )

I'm relatively new to js, but no reason why I can't chip in.
@dmethvin
Copy link
Member

@dmethvin dmethvin commented Apr 8, 2016

I'd prefer we just add options to jQuery.ajax() that let you set attributes on the tag before it is added to the DOM. So something like this:

$.ajax({
  dataType: "script",
  url: "https://some/path",
  attrs: { nonce: "EDNnf03nceIOfn39fn3e9h3sdfa" },
});

which would inject a tag like:

<script nonce="EDNnf03nceIOfn39fn3e9h3sdfa" src="https://some/path">

I suppose we could have jQuery.getScript( url, [, attrs] [, success] ) as well. The implementation would end up mapping any jQuery.getScript() call into jQuery.ajax() anyway since this additional information has to make it all the way to the script transport.
@timmywil timmywil added this to the 3.2.0 milestone Jun 30, 2016
@dmethvin dmethvin self-assigned this Sep 26, 2016
@markelog
Copy link
Member

@markelog markelog commented Oct 31, 2016

attrs attribute would be useless if dataType is not script correct?
@dmethvin
Copy link
Member

@dmethvin dmethvin commented Oct 31, 2016

@markelog Yes, unfortunately it's another transport-specific setting. It would be ignored by transports that didn't need it such as XHR.
@timmywil timmywil modified the milestones: 3.3.0, 3.2.0 Mar 6, 2017
@gibson042 gibson042 added the Ajax label Jul 31, 2017
dmethvin added a commit to dmethvin/jquery that referenced this issue Sep 12, 2017
@dmethvin
Ajax: Allow custom attributes when script transport is used
7a8d0c5 
Fixes jquerygh-3028
Ref jquerygh-2612

Useful, for example, to add `nonce`, `integrity`, or `crossorigin`.
@dmethvin dmethvin mentioned this issue Sep 12, 2017
Merged
4 of 4 tasks complete
@bloatware bloatware mentioned this issue Nov 11, 2017
Closed
@timmywil timmywil modified the milestones: 3.3.0, 3.4.0 Nov 13, 2017
dmethvin added a commit to dmethvin/jquery that referenced this issue Mar 8, 2018
@dmethvin
Ajax: Allow custom attributes when script transport is used
4c17697 
Fixes jquerygh-3028
Ref jquerygh-2612

Useful, for example, to add `nonce`, `integrity`, or `crossorigin`.
@dmethvin
Copy link
Member

@dmethvin dmethvin commented Mar 8, 2018

Based on the way the PR is implemented, if scriptAttrs is set it will cause a script request to use a script tag, even if it's not cross-domain. The list of attrs can be empty.
@dmethvin dmethvin changed the title Consider supporting SRI in getScript Support custom script attributes (e.g. for SRI or CSP) Apr 4, 2018
@dmethvin dmethvin changed the title Support custom script attributes (e.g. for SRI or CSP) Support ajax script attributes (e.g. for SRI or CSP) Apr 4, 2018
This was referenced Apr 4, 2018
Closed
Merged
dmethvin added a commit that referenced this issue May 14, 2018
@dmethvin
Ajax: Allow custom attributes when script transport is used
1f4375a 
Fixes gh-3028
Ref gh-2612

Useful, for example, to add `nonce`, `integrity`, or `crossorigin`.
@lock lock bot locked as resolved and limited conversation to collaborators Nov 10, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@dmethvin dmethvin

Labels
Ajax Blocker Has Pull Request
Projects
None yet
Milestone
3.4.0
Linked pull requests

Successfully merging a pull request may close this issue.

Ajax: Allow custom attributes when script transport is used
6 participants
@dmethvin @timmywil @jonathanKingston @markelog @razamirza @gibson042