Skip to content
Snippets Groups Projects
Select Git revision
  • tedomum-prod default
1 result
Blame Permalink
  • Lukas Reschke's avatar
    f2d63d35
    Disable automatic evaluation of responses · f2d63d35
    Lukas Reschke authored 
    If a response to a $.ajax() request returns a content type of "application/javascript"
JQuery would previously execute the response body. This is a pretty unexpected
behaviour and can result in a bypass of our Content-Security-Policy as well as
multiple unexpected XSS vectors.
    f2d63d35
    History
    Disable automatic evaluation of responses
    Lukas Reschke authored 
    If a response to a $.ajax() request returns a content type of "application/javascript"
JQuery would previously execute the response body. This is a pretty unexpected
behaviour and can result in a bypass of our Content-Security-Policy as well as
multiple unexpected XSS vectors.