Skip to content
Permalink
Browse files

Add another tweak for handling CSP - we need to make sure that we don…

…'t trigger any eval on load (not sure if it's the best tweak, definitely not ideal). Add a test page as well so that it's easier to catch problem.
  • Loading branch information
jeresig committed Jan 18, 2011
1 parent c1d719b commit 9c763ad39d42c54d24f659e7895a8f361a08d27c
Showing with 40 additions and 1 deletion.
  1. +10 −1 src/support.js
  2. +30 −0 test/csp.php
@@ -75,7 +75,7 @@
jQuery.support.optDisabled = !opt.disabled;

jQuery.support.scriptEval = function() {
if ( jQuery.support._scriptEval === null) {
if ( jQuery.support._scriptEval === null ) {
var root = document.documentElement,
script = document.createElement("script"),
id = "script" + jQuery.now();
@@ -101,6 +101,7 @@
// release memory in IE
root = script = id = null;
}

return jQuery.support._scriptEval;
};

@@ -187,6 +188,14 @@
var el = document.createElement("div");
eventName = "on" + eventName;

// We only care about the case where non-standard event systems
// are used, namely in IE. Short-circuiting here helps us to
// avoid an eval call (in setAttribute) which can cause CSP
// to go haywire. See: https://developer.mozilla.org/en/Security/CSP
if ( !el.attachEvent ) {
return true;
}

var isSupported = (eventName in el);
if ( !isSupported ) {
el.setAttribute(eventName, "return;");
@@ -0,0 +1,30 @@
<?php header("X-Content-Security-Policy-Report-Only: allow *"); ?>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>CSP Test Page</title>

<script src="../src/core.js"></script>
<script src="../src/support.js"></script>
<script src="../src/data.js"></script>
<script src="../src/queue.js"></script>
<script src="../src/attributes.js"></script>
<script src="../src/event.js"></script>
<script src="../src/sizzle/sizzle.js"></script>
<script src="../src/sizzle-jquery.js"></script>
<script src="../src/traversing.js"></script>
<script src="../src/manipulation.js"></script>
<script src="../src/css.js"></script>
<script src="../src/ajax.js"></script>
<script src="../src/ajax/jsonp.js"></script>
<script src="../src/ajax/script.js"></script>
<script src="../src/ajax/xhr.js"></script>
<script src="../src/effects.js"></script>
<script src="../src/offset.js"></script>
<script src="../src/dimensions.js"></script>
</head>
<body>
<p>CSP Test Page</p>
</body>
</html>

1 comment on commit 9c763ad

@jeresig

This comment has been minimized.

Copy link
Member Author

jeresig commented on 9c763ad Jan 18, 2011

This was all related to this bug: http://bugs.jquery.com/ticket/7371

Please sign in to comment.
You can’t perform that action at this time.