Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


Fix issue 1513: YUI violates Content-Security-Policy #1514

wants to merge 1 commit into from

4 participants


Simple change to remove use of 'eval' like code from yui.js in order to satisfy any strict Content-Security-Policy headers.

Ran complete unit tests with YETI on my OSX Version 10.8.2 with Chrome Version 31.0.1650.63, Safari Version 6.0.2 (8536.26.17), and Firefox Version: 17.


That will fail with strict mode. What we need to do is wrap the whole of the YUI definition in:

(function (global) {

@juandopazo that will not work in nodejs because this is pointing to module when using it thru require() and pointing to global when using it thru node <script.js>.

(function (global) {
  'use strict';
  // ...
}(typeof global !== 'undefined' ? global : this));



Could we, at the very least, merge as is while more thought is put into using strict mode, supporting node, etc? As it stands now, any organizations implementing CSP, ie large financial institutions (wink wink), will block running YUI.


Fixed in #1963.

@okuryu okuryu closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Dec 21, 2013
  1. Fix issue 1513: YUI violates Content-Security-Policy

    Gerard K. Cohen authored
This page is out of date. Refresh to see the latest.
Showing with 6 additions and 3 deletions.
  1. +6 −3 src/yui/js/yui.js
9 src/yui/js/yui.js
@@ -199,7 +199,7 @@ available.
YUI.Env.DOMReady = true;
if (hasWin) {
remove(doc, 'DOMContentLoaded', handleReady);
- }
+ }
handleLoad = function() {
YUI.Env.windowLoaded = true;
@@ -431,7 +431,10 @@ proto = {
// use CDN default
return path;
- }
+ },
+ getGlobal: (function () {
+ return this;
+ }())
@@ -476,7 +479,7 @@ proto = {
useBrowserConsole: true,
useNativeES5: true,
win: win,
- global: Function('return this')()
+ global: Y.Env.getGlobal
//Register the CSS stamp element
Something went wrong with that request. Please try again.