Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Fix issue 1513: YUI violates Content-Security-Policy #1514

Closed
wants to merge 1 commit into from

4 participants

@gerardkcohen

Simple change to remove use of 'eval' like code from yui.js in order to satisfy any strict Content-Security-Policy headers.

Ran complete unit tests with YETI on my OSX Version 10.8.2 with Chrome Version 31.0.1650.63, Safari Version 6.0.2 (8536.26.17), and Firefox Version: 17.

@juandopazo
Collaborator

That will fail with strict mode. What we need to do is wrap the whole of the YUI definition in:

(function (global) {
//...
}(this));
@caridy
Owner

@juandopazo that will not work in nodejs because this is pointing to module when using it thru require() and pointing to global when using it thru node <script.js>.

@juandopazo
Collaborator
(function (global) {
  'use strict';
  // ...
}(typeof global !== 'undefined' ? global : this));

Yuck.

@gerardkcohen

Could we, at the very least, merge as is while more thought is put into using strict mode, supporting node, etc? As it stands now, any organizations implementing CSP, ie large financial institutions (wink wink), will block running YUI.

@okuryu
Collaborator

Fixed in #1963.

@okuryu okuryu closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Dec 21, 2013
  1. Fix issue 1513: YUI violates Content-Security-Policy

    Gerard K. Cohen authored
This page is out of date. Refresh to see the latest.
Showing with 6 additions and 3 deletions.
  1. +6 −3 src/yui/js/yui.js
View
9 src/yui/js/yui.js
@@ -199,7 +199,7 @@ available.
YUI.Env.DOMReady = true;
if (hasWin) {
remove(doc, 'DOMContentLoaded', handleReady);
- }
+ }
},
handleLoad = function() {
YUI.Env.windowLoaded = true;
@@ -431,7 +431,10 @@ proto = {
// use CDN default
return path;
- }
+ },
+ getGlobal: (function () {
+ return this;
+ }())
};
@@ -476,7 +479,7 @@ proto = {
useBrowserConsole: true,
useNativeES5: true,
win: win,
- global: Function('return this')()
+ global: Y.Env.getGlobal
};
//Register the CSS stamp element
Something went wrong with that request. Please try again.