Add another tweak for handling CSP - we need to make sure that we don't trigger any eval on load (not sure if it's the best tweak, definitely not ideal). Add a test page as well so that it's easier to catch problem.
This commit is contained in:
John Resig
parent
c1d719b580
commit
9c763ad39d
|
|
@ -75,7 +75,7 @@
|
||||||
jQuery.support.optDisabled = !opt.disabled;
|
jQuery.support.optDisabled = !opt.disabled;
|
||||||
|
|
||||||
jQuery.support.scriptEval = function() {
|
jQuery.support.scriptEval = function() {
|
||||||
if ( jQuery.support._scriptEval === null) {
|
if ( jQuery.support._scriptEval === null ) {
|
||||||
var root = document.documentElement,
|
var root = document.documentElement,
|
||||||
script = document.createElement("script"),
|
script = document.createElement("script"),
|
||||||
id = "script" + jQuery.now();
|
id = "script" + jQuery.now();
|
||||||
|
|
@ -101,6 +101,7 @@
|
||||||
// release memory in IE
|
// release memory in IE
|
||||||
root = script = id = null;
|
root = script = id = null;
|
||||||
}
|
}
|
||||||
|
|
||||||
return jQuery.support._scriptEval;
|
return jQuery.support._scriptEval;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -187,6 +188,14 @@
|
||||||
var el = document.createElement("div");
|
var el = document.createElement("div");
|
||||||
eventName = "on" + eventName;
|
eventName = "on" + eventName;
|
||||||
|
|
||||||
|
// We only care about the case where non-standard event systems
|
||||||
|
// are used, namely in IE. Short-circuiting here helps us to
|
||||||
|
// avoid an eval call (in setAttribute) which can cause CSP
|
||||||
|
// to go haywire. See: https://developer.mozilla.org/en/Security/CSP
|
||||||
|
if ( !el.attachEvent ) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
var isSupported = (eventName in el);
|
var isSupported = (eventName in el);
|
||||||
if ( !isSupported ) {
|
if ( !isSupported ) {
|
||||||
el.setAttribute(eventName, "return;");
|
el.setAttribute(eventName, "return;");
|
||||||
|
|
|
||||||
30
test/csp.php
Normal file
30
test/csp.php
Normal file
|
|
@ -0,0 +1,30 @@
|
||||||
|
<?php header("X-Content-Security-Policy-Report-Only: allow *"); ?>
|
||||||
|
<!DOCTYPE html>
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||||||
|
<title>CSP Test Page</title>
|
||||||
|
|
||||||
|
<script src="../src/core.js"></script>
|
||||||
|
<script src="../src/support.js"></script>
|
||||||
|
<script src="../src/data.js"></script>
|
||||||
|
<script src="../src/queue.js"></script>
|
||||||
|
<script src="../src/attributes.js"></script>
|
||||||
|
<script src="../src/event.js"></script>
|
||||||
|
<script src="../src/sizzle/sizzle.js"></script>
|
||||||
|
<script src="../src/sizzle-jquery.js"></script>
|
||||||
|
<script src="../src/traversing.js"></script>
|
||||||
|
<script src="../src/manipulation.js"></script>
|
||||||
|
<script src="../src/css.js"></script>
|
||||||
|
<script src="../src/ajax.js"></script>
|
||||||
|
<script src="../src/ajax/jsonp.js"></script>
|
||||||
|
<script src="../src/ajax/script.js"></script>
|
||||||
|
<script src="../src/ajax/xhr.js"></script>
|
||||||
|
<script src="../src/effects.js"></script>
|
||||||
|
<script src="../src/offset.js"></script>
|
||||||
|
<script src="../src/dimensions.js"></script>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<p>CSP Test Page</p>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
Loading…
Reference in a new issue