If you go to https://code.jquery.com and request a script tag, it will load the script over https.

However, if you just navigate to the website via the address bar or google, you will get the HTTP website instead (http://code.jquery.com). This version of the website produces incorrect code that points to HTTP website. This is completely non-obvious to the developer and leads to jQuery not being loaded properly over HTTPS.

Please fix this so both versions of the website provide script links that point to https://code.jquery.com

Originally reported at #51 and jquery/jquery.com#51.

The jQuery CDN code.jquery.com lacks IPv6 addresses and thus resources from it can't be received using IPv6.

As @mgol said, I'm also sorry to post it here guys, but still there doesn't seem to be any place to report issues related to code.jquery.com.

Below some traceroutes and curl calls that may help to identify the real issue.

lrcarvalho@kalabria-2:~$ curl -6 https://code.jquery.com/jquery-3.4.1.min.js -I
HTTP/1.1 403 Forbidden
Date: Wed, 11 Sep 2019 12:31:10 GMT
Connection: close
Accept-Ranges: bytes
Cache-Control: max-age=10
Content-Length: 0
X-HW: 1568205070.dop054.sp3.t,1568205070.cds036.sp3.shn,1568205070.cds036.sp3.c

lrcarvalho@kalabria-2:~$ curl -6 https://code.jquery.com -v --trace-time
09:33:04.316010 * Rebuilt URL to: https://code.jquery.com/
09:33:04.320430 *   Trying 2001:4de0:ac18::1:a:1a...
09:33:04.320462 * TCP_NODELAY set
09:33:04.345722 * Connected to code.jquery.com (2001:4de0:ac18::1:a:1a) port 443 (#0)
09:33:04.345866 * ALPN, offering h2
09:33:04.345901 * ALPN, offering http/1.1
09:33:04.345975 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
09:33:04.350264 * successfully set certificate verify locations:
09:33:04.350288 *   CAfile: /etc/ssl/cert.pem
  CApath: none
09:33:04.350371 * TLSv1.2 (OUT), TLS handshake, Client hello (1):
09:33:04.378452 * TLSv1.2 (IN), TLS handshake, Server hello (2):
09:33:04.380605 * TLSv1.2 (IN), TLS handshake, Certificate (11):
09:33:04.381982 * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
09:33:04.382153 * TLSv1.2 (IN), TLS handshake, Server finished (14):
09:33:04.382961 * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
09:33:04.383004 * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
09:33:04.383071 * TLSv1.2 (OUT), TLS handshake, Finished (20):
09:33:04.410728 * TLSv1.2 (IN), TLS change cipher, Client hello (1):
09:33:04.410860 * TLSv1.2 (IN), TLS handshake, Finished (20):
09:33:04.411066 * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
09:33:04.411104 * ALPN, server did not agree to a protocol
09:33:04.411140 * Server certificate:
09:33:04.411188 *  subject: OU=Domain Control Validated; OU=PositiveSSL Multi-Domain; CN=jquery.org
09:33:04.411251 *  start date: Oct 17 00:00:00 2018 GMT
09:33:04.411296 *  expire date: Oct 16 23:59:59 2020 GMT
09:33:04.411487 *  subjectAltName: host "code.jquery.com" matched cert's "code.jquery.com"
09:33:04.411661 *  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
09:33:04.411726 *  SSL certificate verify ok.
09:33:04.412120 > GET / HTTP/1.1
09:33:04.412120 > Host: code.jquery.com
09:33:04.412120 > User-Agent: curl/7.54.0
09:33:04.412120 > Accept: */*
09:33:04.412120 >
09:33:04.438844 < HTTP/1.1 403 Forbidden
09:33:04.438908 < Date: Wed, 11 Sep 2019 12:33:04 GMT
09:33:04.438950 < Connection: close
09:33:04.438990 < Accept-Ranges: bytes
09:33:04.439071 < Cache-Control: max-age=10
09:33:04.439135 < Content-Length: 0
09:33:04.439193 < X-HW: 1568205184.dop054.sp3.t,1568205184.cds038.sp3.shn,1568205184.cds038.sp3.c
09:33:04.439234 <
09:33:04.439498 * Closing connection 0
09:33:04.440027 * TLSv1.2 (OUT), TLS alert, Client hello (1):

lrcarvalho@kalabria-2:~$ traceroute6 code.jquery.com
traceroute6: Warning: cds.s5x3j6q5.hwcdn.net has multiple addresses; using 2001:4de0:ac18::1:a:1a
traceroute6 to cds.s5x3j6q5.hwcdn.net (2001:4de0:ac18::1:a:1a) from 2804:d51:4b01:5d00:d0c5:73b7:8707:5fae, 64 hops max, 12 byte packets
 1  2804:d51:222:15c::1  3.549 ms  1.285 ms  1.015 ms
 2  * * *
 3  * * *
 4  * * *
...

I'm getting an SSL error when visiting code.jquery.com over https. Apparently "There are issues with the site's certificate chain". Tested on both Chrome and Safari on OSX. Does this mean all websites using the jquery CDN over https are broken? That wouldn't be good...

Update: I have no issues when visiting on iOS Safari, strange.

Returns just url of current page ( code.jquery.com ).

OS: Window 10
Browser: Chrome 73

Hello everybody, hope you are doing great
This is Arturo Baldo on behalf of AS 262187.
I am experiencing a loop of 301 redirects since 2 weeks ago, i spoke to stackpath/highwinds cdn and they say it could be a misconfiguration at jQuery's end
Is there anything we can do to help in order to fix it?

Right now, it shows:

jQuery Core 3.0.0 - uncompressed, minified

Perhaps we could do:

jQuery Core 3.0.0 - uncompressed, minified, slim

I just deployed a change to jquery-wp-content which affects all pages on codeorigin, but only the UI and QUnit listing pages updated.

https://code.jquery.com/jquery-3.3.1.min.js 打不开 ,有什么地域限制吗？

As a CDN provider it will soon become good practice to provide integrities.
See:
jsdelivr/jsdelivr#6029
cdnjs/cdnjs#4599

For all static assets that never change can integrities be added?

I'm here to help if anything is needed.

First of all: Why should you disable sslv3 (and tlsv1.0 which is outdated too): http://disablessl3.com/

For "old" server which are ignoring the threats tied to sslv3, we designed an exception list containing server which are allowed to communicate in "sslv3.0" and "tlsv1.0".
For most of these server the communication works fine.
But the communication to the "jquery.com" fails with the following error: "SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure".

Reasons found in the internet trying to explain this error are for example:
DNS - problems: But we can access the "http"-pages without any problem. So it does not look like a dns-problem...
"Destination Site does not like the cipher": We are using a "selfsigned key" build on our private PKI (http://blog.techstacks.com/2010/03/3-common-causes-of-unknown-ssl-protocol-errors-with-curl.html) so you must see somthing in the server-logs if this is the problem... This error is often referred to as an problem in the usage of curl. Since we use an appliance we do not know whether curl is implemented and used or not.
Following https://curl.haxx.se/mail/archive-2014-11/0030.html the only way to deal with the problem ist to switch off sslv3.0 ...

The files for jQuery UI. 1.11.0-beta.1 aren't getting listed on http://code.jquery.com/ui/

The deploy fails with this stacktrace:

/Users/jza/dev/codeorigin.jquery.com/node_modules/grunt/lib/util/task.js:352
          throw e;
                ^
TypeError: Cannot read property 'version' of undefined
    at Object.<anonymous> (/Users/jza/dev/codeorigin.jquery.com/grunt.js:284:36)
    at program1 (eval at <anonymous> (/Users/jza/dev/codeorigin.jquery.com/node_modules/handlebars/lib/handlebars/compiler/compiler.js:579:23), <anonymous>:15:92)
    at program (/Users/jza/dev/codeorigin.jquery.com/node_modules/handlebars/lib/handlebars/runtime.js:77:14)
    at Object.<anonymous> (/Users/jza/dev/codeorigin.jquery.com/node_modules/handlebars/lib/handlebars/base.js:116:21)
    at Object.eval (eval at <anonymous> (/Users/jza/dev/codeorigin.jquery.com/node_modules/handlebars/lib/handlebars/compiler/compiler.js:579:23), <anonymous>:64:25)
    at /Users/jza/dev/codeorigin.jquery.com/node_modules/handlebars/lib/handlebars/runtime.js:38:33
    at /Users/jza/dev/codeorigin.jquery.com/node_modules/handlebars/lib/handlebars/compiler/compiler.js:1294:21
    at Object.<anonymous> (/Users/jza/dev/codeorigin.jquery.com/grunt.js:336:62)
    at Object.thisTask.fn (/Users/jza/dev/codeorigin.jquery.com/node_modules/grunt/lib/grunt/task.js:58:16)
    at Task.<anonymous> (/Users/jza/dev/codeorigin.jquery.com/node_modules/grunt/lib/util/task.js:343:36)

The first entry in the ui array of the data passed to the template looks like this: { major: '1.11', latestStable: undefined, all: [Object] }. The template then tries to render something using the latestStable property, which is undefined, so it has no version property, leading to the exception above.

When looking into fixing this issue I ran into a different issue: How should pre-releases show up, if at all, on http://code.jquery.com/ui/ ? Even if I wrap the output for latestRelease in a conditional, the beta.1 is currently not a "Previous Release".

I'm going ahead with publishing the beta anyway, since this isn't a blocker (the blog post will link to the files as well).

code.jquery.com has mixed content with some URLs going to http - Corey asked us to file a ticket.

We got during bower install.

curl same error.

$curl https://code.jquery.com/
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.

But no error when certificate with goole chrome
Why???

Over this site jQuery CDN https://94.31.29.54/ I detected the below vulnerabilities, my objective is that you see this issue as Bug Bounty and give an reward for this, thanks.

Originally reported by @tambry in jquery/jquery.com#178.

The jQuery CDN code.jquery.com lacks IPv6 addresses and thus resources from it can't be received using IPv6.

The CDN seems to be served by StackPath (previously Highwinds), which has recently gotten IPv6 support, so this should be fixable. For reference, BootstrapCDN also uses StackPath, and they recently enabled IPv6 for their CDN endpoint (stackpath.bootstrapcdn.com).

PS
Apologies if this is the wrong place to report this, but there doesn't seem to be any place to report issues related to code.jquery.com.

We need to move the 1-9 git build to it's own directory so it doesn't compete with the standard git build for the images directory.

Hey folks! Hopefully this is a reasonable repository for requests like this one. :)

Cross-Origin-Resource-Policy (CORP) is an HTTP response header that asserts a scope in which a given resource is allowed to be embedded. Today, the default for all resources is to allow cross-site loads, which unfortunately creates the conditions for side-channel attacks via Spectre, et al. With this background, browser vendors are interested in changing this default generally in the long-term, and in the short-term will allow developers to require explicit opt-in via Cross-Origin-Embedder-Policy. This opt-in will be a prerequisite for some particularly interesting APIs like SharedArrayBuffer.

To support this migration, it would be ideal if y'all could begin adding this assertion explicitly to resources that are expected to be used by various sites out there on the internet (e.g. by sending a Cross-Origin-Resource-Policy: cross-origin header). This should be a no-op in the status quo, and will ensure that y'all aren't blocking developers from opting-into Cross-Origin-Embedder-Policy (and therefore exciting new APIs).

If there's any more context I can give you about this set of features, I'd be happy to chat!

This would solve:

• #55
• jquery/demos.jquerymobile.com#19

Sub steps:

• Set Strict-Transport-Security: max-age=106384710; includeSubDomains; preload in our Nginx backend configuration as a header on our main content domains. Taking care to apply this both to responses generated via WordPress for pages on api.jquery.com and code.jquery.com, as well as static files served from codeorigin.jquery.com.
• Submit jquery.com to https://hstspreload.org/

A full forced redirect to HTTPS should have no negative impact on browsers accessing code.jquery.com through a <script> tag. An HSTS header would further protect visitors to sites that embed an insecure code.jquery.com link.

Alternatively, I can see that CORS has just recently been enabled for resources on code.jquery.com. Safari does break on attempts to redirect CORS URLs from HTTP to HTTPS, even if both endpoints have CORS headers enabled.

Before the jQuery CDN develops much of a user base for its CORS support, the most immediate helpful thing to avoid making it difficult for the CDN to force a redirect in the future would be to only provide CORS support for HTTPS requests. This would at least prevent the situation from deterioriating while the jQuery CDN evaluates a full switch to HTTPS and HSTS.

Why is this on 0.3.x ?

When we deploy, the listing pages should be automatically reloaded. We have so few pages that we can just reload all on every deploy instead of trying to be smart and only reloading the ones that actually changed.

See jquery/jquery#2899

https://www.sslshopper.com/ssl-checker.html#hostname=https://code.jquery.com reports an error.

And

https://sectigostore.com/ssl-tools/ssl-checker.php does not.

https://forum.jquery.com/topic/certificate-chain-issue reported it to the forum.

Resources from the jquery CDN are only loaded over HTTP/1.1

3.0 will need to be added to this page when 3.0 final is released.

Note that links to http://code.jquery.com/jquery-git2.js redirects to 3.0-pre.

The url https://code.jquery.com/jquery-latest.min.js isn't working due to a redirect loop.

I'm trying to reach the url from Uruguay, South America. Any browser is giving the next problem:
This page isn’t working
code.jquery.com redirected you too many times.
Try clearing your cookies.
ERR_TOO_MANY_REDIRECTS

Apparently needs to be updated:

http://sitecheck.sucuri.net/results/code.jquery.com

There should be a JSON file generated on every update which lists all the versions using semver and points to the appropriate files. This should exist for all projects.

There is a submodule for the NetDNA php code, we should just import the external so I don't have to change the puppet scripts to do git submodule update --init

cc @aulvi

The QUnit git build hasn't updated in a while (since version 2.6.3-pre) which corresponds to when the CDN API changed and the purge endpoint was updated.

According to this Jenkins log, the file should have been updated successfully, but you can see here that the version is still out-of-date (should be version 2.8.1-pre).

cc @Krinkle

The latest version of QUnit listed on http://code.jquery.com/ is out-of-date. Additionally, the QUnit page does not list all published versions.

Seems like maybe the build for the website is no longer running correctly?

I have tested the latest jQuery version at code.jquery.com using Gzip and Brotli Compression Level Estimator and there is room for improvement:

Please increase the gzip compression level from 1 to at least 6 and enable brotli compression method. Thanks.

The root certificate authority has expired at 30 may 2020

https://www.ssllabs.com/ssltest/analyze.html?d=code.jquery.com&s=2001%3a4de0%3aac19%3a0%3a0%3a1%3ab%3a1b&latest

The code.jquery.com site is serving up a cert for hwcdn.net.

code.jquery.com uses an invalid security certificate.

The certificate is only valid for the following names: *.ssl.hwcdn.net, ssl.hwcdn.net Error code: SSL_ERROR_BAD_CERT_DOMAIN

Obviously this breaks any site including one of the CDN scripts as the browser will not load it.

http://code.jquery.com/jquery-latest.min.js
http://code.jquery.com/jquery-latest.js

Give both 502 Bad Gateway breaking a lot of pages, although they should be included as they are in https://github.com/jquery/codeorigin.jquery.com/tree/master/cdn ? Maybe a bad sync to the CDN ?

( I understand you are fading out the support for jquery latest, but since it's the most 'popular' quick implementation due to articles like http://stackoverflow.com/questions/441412/is-there-a-link-to-the-latest-jquery-library-on-google-apis I assume this might be a malfunction )

It seems to be limited to jQuery core releases currently.

Split from #38.

I have tested the latest jQuery version at code.jquery.com using Gzip and Brotli Compression Level Estimator and there is room for improvement:

https://code.jquery.com/ fails to load. http://code.jquery.com/ loads except for the HTTPS resources it tries to request.

Not a local network issue, I've verified with multiple people at different locations and they too cannot reach the HTTPS site.

I'm not sure if this is the right place to report this, but:

http://code.jquery.com/

don't redirect to https and links are just paths so they are also http (so if you use copy link in context menu you will get http link).

Maybe everything should be redirected to https including the file links.

Migrated from jquery/jquery#4162

From @gibson042:

Issue confirmed. Content coding values (which are the contents of Accept-Encoding) are case-insensitive per RFC 7231, but code.jquery.com sends a response with no encoding in response to Accept-Encoding: GZIP (or other variants that are not all lowercase), and—here's the issue—lies about that lack of encoding by also including Content-Encoding: gzip.

Transcripts, with ### comments added.

$ curl -sv http://code.jquery.com/jquery-2.2.4.min.js | head -c 10 | xxd
*   Trying 205.185.208.52...
* Connected to code.jquery.com (205.185.208.52) port 80 (#0)
> GET /jquery-2.2.4.min.js HTTP/1.1
> Host: code.jquery.com
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Fri, 31 Aug 2018 14:04:40 GMT
< Connection: Keep-Alive
< Accept-Ranges: bytes
< Content-Length: 85578 ### unencoded size: 85578
< Content-Type: application/javascript; charset=utf-8
< Last-Modified: Fri, 20 May 2016 17:24:41 GMT
< Server: nginx
< ETag: W/"573f4859-14e4a"
< Cache-Control: max-age=315360000
< Cache-Control: public
< Access-Control-Allow-Origin: *
< Vary: Accept-Encoding
< X-HW: 1535724280.dop013.ny3.t,1535724280.cds046.ny3.c
< 
{ [1460 bytes data]
00000000: 2f2a 2120 6a51 7565 7279                 /*! jQuery ### unencoded response
* Failed writing body (892 != 16384)
* Closing connection 0

$ curl -sv -H 'Accept-Encoding: gzip' http://code.jquery.com/jquery-2.2.4.min.js | head -c 10 | xxd
*   Trying 205.185.208.52...
* Connected to code.jquery.com (205.185.208.52) port 80 (#0)
> GET /jquery-2.2.4.min.js HTTP/1.1
> Host: code.jquery.com
> User-Agent: curl/7.47.0
> Accept: */*
> Accept-Encoding: gzip ### request for gzipped response
> 
< HTTP/1.1 200 OK
< Date: Fri, 31 Aug 2018 14:10:51 GMT
< Connection: Keep-Alive
< Accept-Ranges: bytes
< Content-Encoding: gzip ### response is claimed to be gzipped
< Content-Length: 34834 ### compressed size: 34834
< Content-Type: application/javascript; charset=utf-8
< Last-Modified: Fri, 20 May 2016 17:24:41 GMT
< Server: nginx
< ETag: W/"573f4859-14e4a"
< Cache-Control: max-age=315360000
< Access-Control-Allow-Origin: *
< Vary: Accept-Encoding
< X-HW: 1535724651.dop012.ny3.t,1535724651.cds046.ny3.c
< 
{ [1460 bytes data]
00000000: 1f8b 0800 0000 0000 0003                 .......... ### response appears gzipped, cf. https://tools.ietf.org/html/rfc1952#page-6
* Failed writing body (1500 != 9899)
* Closing connection 0

$ curl -sv -H 'Accept-Encoding: GZIP' http://code.jquery.com/jquery-2.2.4.min.js | head -c 10 | xxd
*   Trying 205.185.208.52...
* Connected to code.jquery.com (205.185.208.52) port 80 (#0)
> GET /jquery-2.2.4.min.js HTTP/1.1
> Host: code.jquery.com
> User-Agent: curl/7.47.0
> Accept: */*
> Accept-Encoding: GZIP ### unusual request for gzipped response
> 
< HTTP/1.1 200 OK
< Date: Fri, 31 Aug 2018 14:14:50 GMT
< Connection: Keep-Alive
< Accept-Ranges: bytes
< Content-Encoding: gzip ### response is claimed to be gzipped
< Content-Length: 85578 ### …but the size is as big as an unencoded response :\
< Content-Type: application/javascript; charset=utf-8
< Last-Modified: Fri, 20 May 2016 17:24:41 GMT
< Server: nginx
< ETag: W/"573f4859-14e4a"
< Cache-Control: max-age=315360000
< Access-Control-Allow-Origin: *
< Vary: Accept-Encoding
< X-HW: 1535724890.dop004.ny3.t,1535724890.cds046.ny3.c
< 
{ [1460 bytes data]
00000000: 2f2a 2120 6a51 7565 7279                 /*! jQuery ### non-gzipped! >:(
* Failed writing body (2068 != 16384)
* Closing connection 0

Dears,

Why the URL http://code.jquery.com/jquery-x.x.x not working

When referencing http://code.jquery.com/jquery-3.2.1.slim.min.js I get an error about undefined .load() function. Referencing http://code.jquery.com/jquery-3.2.1.min.js instead fixes the issue.

$(document).ready(function() { $('#test').load('doesntmatter'); });

Uncaught TypeError: $(...).load is not a function

StackOverflow question showing minimal example.

We should update to the latest version from https://github.com/netdna/netdnarws-php.

Over this site jQuery CDN https://94.31.29.54/ I detected the below vulnerabilities, my objective is that you see this issue as Bug Bounty and give me an reward for this, thanks.

I tried to upload in PDF format the report, but appear this error: Something went really wrong, and we can’t process that file.

I put the vulnerabilities directly in the issue.

Given that addition of files is done through Git, perhaps the build step that creates the SRI information should also be committed to Git - instead of happening during deployment?

That would provide more confidence, transparency and verifiability for these values.

There appears to be an SSL issue with the code.jquery.com site.

Your connection is not private
Attackers might be trying to steal your information from code.jquery.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID

Fortify Issue : https://github.com/jquery/codeorigin.jquery.com/blob/master/cdn/jquery-3.2.1.min.js line 2 (Insecure Randomness)

Hey guys,

Look at this url: http://code.jquery.com/jquery-migrate-3.0.1.min.js
At the end it says ".min", but the file isn't minified.

http://code.jquery.com/jquery-latest.min.js "v1.10.2"
v1.11 was released 2 months ago. That is if "latest" was supposed to work to mean "latest v1 branch".

Workaround: (I believe these are scripted, so as long as someone makes the right folder name, aliases will work).
http://cdn.jsdelivr.net/jquery/1/jquery.min.js //newest v1.*
http://cdn.jsdelivr.net/jquery/2/jquery.min.js //newest v2.*

Long-term workaround: Perhaps let jsDelivr, be the "official" CDN? It is basically MaxCDN (that you're already using) + CloudFlare (that drives CDNJS) + a few extra POPs. In a month or so there will be a semi-automated upload system also.

Thanks for all the work you all do!