Jquery: Support ajax script attributes (e.g. for SRI or CSP)

Created on 30 Mar 2016  路  6Comments  路  Source: jquery/jquery

@razamirza mentioned here: https://github.com/jquery/codeorigin.jquery.com/issues/20#issuecomment-203168265

Is there any plan to add support for SRI to jQuery.getScript()? http://api.jquery.com/jQuery.getScript/

I think it would be worth considering adding support to check a script on the outside, however probably this is worthy of an extension until all browsers support fetch+SRI/WebCrypto natively.

Ajax Blocker Has Pull Request

Most helpful comment

I'd prefer we just add options to jQuery.ajax() that let you set attributes on the tag before it is added to the DOM. So something like this:

$.ajax({
  dataType: "script",
  url: "https://some/path",
  attrs: { nonce: "EDNnf03nceIOfn39fn3e9h3sdfa" },
});

which would inject a tag like:

<script nonce="EDNnf03nceIOfn39fn3e9h3sdfa" src="https://some/path">

I suppose we could have jQuery.getScript( url, [, attrs] [, success] ) as well. The implementation would end up mapping any jQuery.getScript() call into jQuery.ajax() anyway since this additional information has to make it all the way to the script transport.

All 6 comments

We recently got a similar request for CSP nonces in #2612 but the submitter went dark. Rather than trying to support all these individually and then needing to verify they each work across all browsers, maybe we could just treat this like headers and give $.ajax a general way to put attributes in the script tag.

If my request wasn't clear, here is the exact scenario. We use jQuery.getScript() to get script from third party CDNs, and want to check for the integrity of script, so we need something like:

jQuery.getScript( url [, hash, backupPath ] )

I'm relatively new to js, but no reason why I can't chip in.

I'd prefer we just add options to jQuery.ajax() that let you set attributes on the tag before it is added to the DOM. So something like this:

$.ajax({
  dataType: "script",
  url: "https://some/path",
  attrs: { nonce: "EDNnf03nceIOfn39fn3e9h3sdfa" },
});

which would inject a tag like:

<script nonce="EDNnf03nceIOfn39fn3e9h3sdfa" src="https://some/path">

I suppose we could have jQuery.getScript( url, [, attrs] [, success] ) as well. The implementation would end up mapping any jQuery.getScript() call into jQuery.ajax() anyway since this additional information has to make it all the way to the script transport.

attrs attribute would be useless if dataType is not script correct?

@markelog Yes, unfortunately it's another transport-specific setting. It would be ignored by transports that didn't need it such as XHR.

Based on the way the PR is implemented, if scriptAttrs is set it will cause a script request to use a script tag, even if it's not cross-domain. The list of attrs can be empty.

Was this page helpful?
0 / 5 - 0 ratings