You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We could simply say "don't do that"; we don't do that - we don't use $.get or $.post or $.getJSON or $.ajax to access other domains, only the local site.
But yeah, it's not good that the response from such a site gets executed without cross-domain origin protections.
And more importantly... jQuery 1.x is past its end of life and not getting patches for anything, except very serious security holes:
(This policy was under-publicized until recently as you can see.)
So what can we do?
Well, Apostrophe 3.x will not ship with jQuery at all. So that's not an issue.
As for Apostrophe 2.x today, we could work around this one issue by moving to one of the 1.12.x versions of jQuery where it's fixed - which will impact anyone depending on the bug. But this is a lame solution - there are later versions in the 1.12 series where they un-fixed it.
Or we could move to 3.x. 3.x is only for modern browsers but it has a very generous definition of modern browser, going back to IE9.
It might not break enough things to be a big deal or impact Apostrophe's UI, but it would certainly affect some client project, somewhere.
So my recommendation is that we start shipping jQuery 3.0 with a flag to enable loading it, and use that flag in our various boilerplate/CLI projects, after first regression testing of course and, if necessary, making sure our UI code works with either 1.x or 3.x.
An enterprise client pointed out this unpatched issue in jQuery 1.x:
jquery/jquery#2432
We could simply say "don't do that"; we don't do that - we don't use$.get or $ .post or $.getJSON or $ .ajax to access other domains, only the local site.
But yeah, it's not good that the response from such a site gets executed without cross-domain origin protections.
And more importantly... jQuery 1.x is past its end of life and not getting patches for anything, except very serious security holes:
jquery/jquery.com#162
(This policy was under-publicized until recently as you can see.)
So what can we do?
Well, Apostrophe 3.x will not ship with jQuery at all. So that's not an issue.
As for Apostrophe 2.x today, we could work around this one issue by moving to one of the 1.12.x versions of jQuery where it's fixed - which will impact anyone depending on the bug. But this is a lame solution - there are later versions in the 1.12 series where they un-fixed it.
Or we could move to 3.x. 3.x is only for modern browsers but it has a very generous definition of modern browser, going back to IE9.
This would, of course, break things:
https://jquery.com/upgrade-guide/3.0/
It might not break enough things to be a big deal or impact Apostrophe's UI, but it would certainly affect some client project, somewhere.
So my recommendation is that we start shipping jQuery 3.0 with a flag to enable loading it, and use that flag in our various boilerplate/CLI projects, after first regression testing of course and, if necessary, making sure our UI code works with either 1.x or 3.x.
Thoughts?
@stuartromanek @ludovicbret @agilbert
The text was updated successfully, but these errors were encountered: