Skip to content
Permalink
Browse files
Fix #11249. Inline styles anger Content Security Policy.
  • Loading branch information
davidben authored and dmethvin committed Jul 7, 2012
1 parent c8e8d90 commit dc83072878ed9636c8158a014bd9fa4acc1ccce3
Showing 1 changed file with 6 additions and 3 deletions.
@@ -15,10 +15,11 @@ jQuery.support = (function() {

// Preliminary tests
div.setAttribute( "className", "t" );
div.innerHTML = " <link/><table></table><a href='/a' style='top:1px;float:left;opacity:.5;'>a</a><input type='checkbox'/>";
div.innerHTML = " <link/><table></table><a href='/a'>a</a><input type='checkbox'/>";

all = div.getElementsByTagName("*");
a = div.getElementsByTagName("a")[ 0 ];
a.style.cssText = "top:1px;float:left;opacity:.5";

// Can't get basic test support
if ( !all || !all.length || !a ) {
@@ -196,8 +197,9 @@ jQuery.support = (function() {
// display:none (it is still safe to use offsets if a parent element is
// hidden; don safety goggles and see bug #4512 for more information).
// (only IE 8 fails this test)
div.innerHTML = "<table><tr><td style='padding:0;margin:0;border:0;display:none'></td><td>t</td></tr></table>";
div.innerHTML = "<table><tr><td></td><td>t</td></tr></table>";
tds = div.getElementsByTagName("td");
tds[ 0 ].style.cssText = "padding:0;margin:0;border:0;display:none";
isSupported = ( tds[ 0 ].offsetHeight === 0 );

tds[ 0 ].style.display = "";
@@ -249,7 +251,8 @@ jQuery.support = (function() {
// (IE 6 does this)
div.style.display = "block";
div.style.overflow = "visible";
div.innerHTML = "<div style='width:5px;'></div>";
div.innerHTML = "<div></div>";
div.firstChild.style.width = "5px";
support.shrinkWrapBlocks = ( div.offsetWidth !== 3 );

container.style.zoom = 1;

8 comments on commit dc83072

@dmethvin
Copy link
Member

@dmethvin dmethvin commented on dc83072 Jul 7, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@davidben can you see if this fixes the problem you reported?

@davidben
Copy link
Contributor Author

@davidben davidben commented on dc83072 Jul 7, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems to do the trick (tested with the jquery-git.js build). Thanks!

@anthonyryan1
Copy link
Contributor

@anthonyryan1 anthonyryan1 commented on dc83072 Jul 7, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Glad to see this land!

@dmethvin
Copy link
Member

@dmethvin dmethvin commented on dc83072 Jul 8, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@davidben and @anthonyryan1 I landed this since there was a good patch (even saved 1 byte gzipped) and I'm glad it solves the problem. To ensure we don't regress on this we'll need a unit test; contributions welcome. I've opened ticket 12040 on this.

@jasonkit
Copy link

@jasonkit jasonkit commented on dc83072 Jul 9, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems that I still seeing this problem when I do the conversion of a chrome extension from manifest ver 1 to ver 2.
When I try to add </script> in the html file, Chrome still complaint about "Refused to execute inline script because of Content-Security-Policy."

However, the chrome version I used to test is 20.0.1132.47 beta, not 18.

@anthonyryan1
Copy link
Contributor

@anthonyryan1 anthonyryan1 commented on dc83072 Jul 9, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jasonkit Just to confirm what may be potentially obvious, there's no point in your module where a style attribute is defined on any piece of html? This would include anything brought in from outside sources.

I can't speak fully for extensions as I'm using this in a site context, but I can vouch for this fixing the errors from simply including jQuery on a CSP enabled page (also Chrome 20 beta).

@davidben
Copy link
Contributor Author

@davidben davidben commented on dc83072 Jul 9, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, that error says inline script, not style, which is different from what is fixed here. Are you sure you don't have inline script somewhere else in the file? That is, <script>something</script> instead of linking to an external file. onclick attributes and the like in markup will also bite you. I suspect this is something else in your extension, not jQuery.

@jasonkit
Copy link

@jasonkit jasonkit commented on dc83072 Jul 9, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your quick reply, I just found out what is causing the problem, it seems that the jquery-git.js is not properly refreshed... After I relaunch chrome, that error message is gone, sorry about the false alarm.

Please sign in to comment.