Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix #11249. Inline styles anger Content Security Policy.
- Loading branch information
Showing
1 changed file
with
6 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dc83072
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@davidben can you see if this fixes the problem you reported?
dc83072
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems to do the trick (tested with the jquery-git.js build). Thanks!
dc83072
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Glad to see this land!
dc83072
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@davidben and @anthonyryan1 I landed this since there was a good patch (even saved 1 byte gzipped) and I'm glad it solves the problem. To ensure we don't regress on this we'll need a unit test; contributions welcome. I've opened ticket 12040 on this.
dc83072
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems that I still seeing this problem when I do the conversion of a chrome extension from manifest ver 1 to ver 2.
When I try to add </script> in the html file, Chrome still complaint about "Refused to execute inline script because of Content-Security-Policy."
However, the chrome version I used to test is 20.0.1132.47 beta, not 18.
dc83072
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jasonkit Just to confirm what may be potentially obvious, there's no point in your module where a style attribute is defined on any piece of html? This would include anything brought in from outside sources.
I can't speak fully for extensions as I'm using this in a site context, but I can vouch for this fixing the errors from simply including jQuery on a CSP enabled page (also Chrome 20 beta).
dc83072
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, that error says inline script, not style, which is different from what is fixed here. Are you sure you don't have inline script somewhere else in the file? That is,
<script>something</script>
instead of linking to an external file.onclick
attributes and the like in markup will also bite you. I suspect this is something else in your extension, not jQuery.dc83072
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your quick reply, I just found out what is causing the problem, it seems that the jquery-git.js is not properly refreshed... After I relaunch chrome, that error message is gone, sorry about the false alarm.