Add another tweak for handling CSP - we need to make sure that we don't trigger any eval on load (not sure if it's the best tweak, definitely not ideal). Add a test page as well so that it's easier to catch problem.
This commit is contained in:
John Resig
parent
c1d719b580
commit
9c763ad39d
2 changed files with 40 additions and 1 deletions
|
|
@ -75,7 +75,7 @@
|
|||
jQuery.support.optDisabled = !opt.disabled;
|
||||
|
||||
jQuery.support.scriptEval = function() {
|
||||
if ( jQuery.support._scriptEval === null) {
|
||||
if ( jQuery.support._scriptEval === null ) {
|
||||
var root = document.documentElement,
|
||||
script = document.createElement("script"),
|
||||
id = "script" + jQuery.now();
|
||||
|
|
@ -101,6 +101,7 @@
|
|||
// release memory in IE
|
||||
root = script = id = null;
|
||||
}
|
||||
|
||||
return jQuery.support._scriptEval;
|
||||
};
|
||||
|
||||
|
|
@ -187,6 +188,14 @@
|
|||
var el = document.createElement("div");
|
||||
eventName = "on" + eventName;
|
||||
|
||||
// We only care about the case where non-standard event systems
|
||||
// are used, namely in IE. Short-circuiting here helps us to
|
||||
// avoid an eval call (in setAttribute) which can cause CSP
|
||||
// to go haywire. See: https://developer.mozilla.org/en/Security/CSP
|
||||
if ( !el.attachEvent ) {
|
||||
return true;
|
||||
}
|
||||
|
||||
var isSupported = (eventName in el);
|
||||
if ( !isSupported ) {
|
||||
el.setAttribute(eventName, "return;");
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue