deac/jquery
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Defer scriptEval test until first use to prevent Content Security Policy inline-script violations from occuring. Fixes #7371.

Browse source
This commit is contained in:
Brandon Sterne 2011-01-17 16:31:12 -05:00 committed by jeresig
parent f01ef93aab
commit 220a0ce162
2 changed files with 32 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/core.js
View file

@ -583,7 +583,7 @@ jQuery.extend({
script.type = "text/javascript"; script.type = "text/javascript";
if ( jQuery.support.scriptEval ) { if ( jQuery.support.scriptEval() ) {
script.appendChild( document.createTextNode( data ) ); script.appendChild( document.createTextNode( data ) );
} else { } else {
script.text = data; script.text = data;

52
src/support.js
View file

@ -4,10 +4,7 @@
jQuery.support = {}; jQuery.support = {};
var root = document.documentElement, var div = document.createElement("div");
script = document.createElement("script"),
div = document.createElement("div"),
id = "script" + jQuery.now();
div.style.display = "none"; div.style.display = "none";
div.innerHTML = " <link/><table></table><a href='/a' style='color:red;float:left;opacity:.55;'>a</a><input type='checkbox'/>"; div.innerHTML = " <link/><table></table><a href='/a' style='color:red;float:left;opacity:.55;'>a</a><input type='checkbox'/>";
@ -64,7 +61,7 @@
deleteExpando: true, deleteExpando: true,
optDisabled: false, optDisabled: false,
checkClone: false, checkClone: false,
scriptEval: false, _scriptEval: null,
noCloneEvent: true, noCloneEvent: true,
boxModel: null, boxModel: null,
inlineBlockNeedsLayout: false, inlineBlockNeedsLayout: false,
@ -77,32 +74,45 @@
select.disabled = true; select.disabled = true;
jQuery.support.optDisabled = !opt.disabled; jQuery.support.optDisabled = !opt.disabled;
script.type = "text/javascript"; jQuery.support.scriptEval = function() {
try { if ( jQuery.support._scriptEval === null) {
script.appendChild( document.createTextNode( "window." + id + "=1;" ) ); var root = document.documentElement,
} catch(e) {} script = document.createElement("script"),
id = "script" + jQuery.now();
root.insertBefore( script, root.firstChild ); script.type = "text/javascript";
try {
script.appendChild( document.createTextNode( "window." + id + "=1;" ) );
} catch(e) {}
// Make sure that the execution of code works by injecting a script root.insertBefore( script, root.firstChild );
// tag with appendChild/createTextNode
// (IE doesn't support this, fails, and uses .text instead) // Make sure that the execution of code works by injecting a script
if ( window[ id ] ) { // tag with appendChild/createTextNode
jQuery.support.scriptEval = true; // (IE doesn't support this, fails, and uses .text instead)
delete window[ id ]; if ( window[ id ] ) {
} jQuery.support._scriptEval = true;
delete window[ id ];
} else {
jQuery.support._scriptEval = false;
}
root.removeChild( script );
// release memory in IE
root = script = id = null;
}
return jQuery.support._scriptEval;
};
// Test to see if it's possible to delete an expando from an element // Test to see if it's possible to delete an expando from an element
// Fails in Internet Explorer // Fails in Internet Explorer
try { try {
delete script.test; delete div.test;
} catch(e) { } catch(e) {
jQuery.support.deleteExpando = false; jQuery.support.deleteExpando = false;
} }
root.removeChild( script );
if ( div.attachEvent && div.fireEvent ) { if ( div.attachEvent && div.fireEvent ) {
div.attachEvent("onclick", function click() { div.attachEvent("onclick", function click() {
// Cloning a node shouldn't copy over any // Cloning a node shouldn't copy over any
@ -191,6 +201,6 @@
jQuery.support.changeBubbles = eventSupported("change"); jQuery.support.changeBubbles = eventSupported("change");
// release memory in IE // release memory in IE
root = script = div = all = a = null; div = all = a = null;
})(); })();
})( jQuery ); })( jQuery );