Skip to content
Permalink
Browse files

Fix #11249. Inline styles anger Content Security Policy.

  • Loading branch information
davidben authored and dmethvin committed Jul 7, 2012
1 parent c8e8d90 commit dc83072878ed9636c8158a014bd9fa4acc1ccce3
Showing with 6 additions and 3 deletions.
  1. +6 −3 src/support.js
@@ -15,10 +15,11 @@ jQuery.support = (function() {

// Preliminary tests
div.setAttribute( "className", "t" );
div.innerHTML = " <link/><table></table><a href='/a' style='top:1px;float:left;opacity:.5;'>a</a><input type='checkbox'/>";
div.innerHTML = " <link/><table></table><a href='/a'>a</a><input type='checkbox'/>";

all = div.getElementsByTagName("*");
a = div.getElementsByTagName("a")[ 0 ];
a.style.cssText = "top:1px;float:left;opacity:.5";

// Can't get basic test support
if ( !all || !all.length || !a ) {
@@ -196,8 +197,9 @@ jQuery.support = (function() {
// display:none (it is still safe to use offsets if a parent element is
// hidden; don safety goggles and see bug #4512 for more information).
// (only IE 8 fails this test)
div.innerHTML = "<table><tr><td style='padding:0;margin:0;border:0;display:none'></td><td>t</td></tr></table>";
div.innerHTML = "<table><tr><td></td><td>t</td></tr></table>";
tds = div.getElementsByTagName("td");
tds[ 0 ].style.cssText = "padding:0;margin:0;border:0;display:none";
isSupported = ( tds[ 0 ].offsetHeight === 0 );

tds[ 0 ].style.display = "";
@@ -249,7 +251,8 @@ jQuery.support = (function() {
// (IE 6 does this)
div.style.display = "block";
div.style.overflow = "visible";
div.innerHTML = "<div style='width:5px;'></div>";
div.innerHTML = "<div></div>";
div.firstChild.style.width = "5px";
support.shrinkWrapBlocks = ( div.offsetWidth !== 3 );

container.style.zoom = 1;

8 comments on commit dc83072

@dmethvin

This comment has been minimized.

Copy link
Member

@dmethvin dmethvin replied Jul 7, 2012

@davidben can you see if this fixes the problem you reported?

@davidben

This comment has been minimized.

Copy link
Contributor Author

@davidben davidben replied Jul 7, 2012

Seems to do the trick (tested with the jquery-git.js build). Thanks!

@anthonyryan1

This comment has been minimized.

Copy link
Contributor

@anthonyryan1 anthonyryan1 replied Jul 7, 2012

Glad to see this land!

@dmethvin

This comment has been minimized.

Copy link
Member

@dmethvin dmethvin replied Jul 8, 2012

@davidben and @anthonyryan1 I landed this since there was a good patch (even saved 1 byte gzipped) and I'm glad it solves the problem. To ensure we don't regress on this we'll need a unit test; contributions welcome. I've opened ticket 12040 on this.

@jasonkit

This comment has been minimized.

Copy link

@jasonkit jasonkit replied Jul 9, 2012

It seems that I still seeing this problem when I do the conversion of a chrome extension from manifest ver 1 to ver 2.
When I try to add </script> in the html file, Chrome still complaint about "Refused to execute inline script because of Content-Security-Policy."

However, the chrome version I used to test is 20.0.1132.47 beta, not 18.

@anthonyryan1

This comment has been minimized.

Copy link
Contributor

@anthonyryan1 anthonyryan1 replied Jul 9, 2012

@jasonkit Just to confirm what may be potentially obvious, there's no point in your module where a style attribute is defined on any piece of html? This would include anything brought in from outside sources.

I can't speak fully for extensions as I'm using this in a site context, but I can vouch for this fixing the errors from simply including jQuery on a CSP enabled page (also Chrome 20 beta).

@davidben

This comment has been minimized.

Copy link
Contributor Author

@davidben davidben replied Jul 9, 2012

Actually, that error says inline script, not style, which is different from what is fixed here. Are you sure you don't have inline script somewhere else in the file? That is, <script>something</script> instead of linking to an external file. onclick attributes and the like in markup will also bite you. I suspect this is something else in your extension, not jQuery.

@jasonkit

This comment has been minimized.

Copy link

@jasonkit jasonkit replied Jul 9, 2012

Thanks for your quick reply, I just found out what is causing the problem, it seems that the jquery-git.js is not properly refreshed... After I relaunch chrome, that error message is gone, sorry about the false alarm.

Please sign in to comment.
You can’t perform that action at this time.