]> source.dussan.org Git - jquery.git/commitdiff
projects / jquery.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fe5f04d)
Core: Preserve CSP nonce on scripts with src attribute in DOM manipulation 4328/head
authorbuddh4 <mail@jharrer.de>
Tue, 19 Mar 2019 21:40:30 +0000 (22:40 +0100)
committerMichał Gołębiowski-Owczarek <m.goleb@gmail.com>
Mon, 25 Mar 2019 17:14:24 +0000 (18:14 +0100)
Fixes gh-4323
Closes gh-4328

src/manipulation.js patch | blob | history
src/manipulation/_evalUrl.js patch | blob | history
test/data/csp-nonce-external.html [new file with mode: 0644] patch | blob
test/data/csp-nonce-external.js [new file with mode: 0644] patch | blob
test/unit/manipulation.js patch | blob | history

diff --git a/src/manipulation.js b/src/manipulation.js
index 7dbc92689276fc240f9894cc5ecd3674aaac0bff..ab19d8b3cd7de9caf188cebbb86c0439ad681019 100644 (file)
--- a/src/manipulation.js
+++ b/src/manipulation.js
@@ -199,7 +199,9 @@ function domManip( collection, args, callback, ignored ) {
 
                                                        // Optional AJAX dependency, but won't run scripts if not present
                                                        if ( jQuery._evalUrl && !node.noModule ) {
-                                                               jQuery._evalUrl( node.src );
+                                                               jQuery._evalUrl( node.src, {
+                                                                       nonce: node.nonce || node.getAttribute( "nonce" )
+                                                               } );
                                                        }
                                                } else {
                                                        DOMEval( node.textContent.replace( rcleanScript, "" ), node, doc );
diff --git a/src/manipulation/_evalUrl.js b/src/manipulation/_evalUrl.js
index e20995a8971cef3cd05c2ef5a645b3362dff3005..9a4d2ac6fda3abadae7c97fc3dd7a39d7e7e3422 100644 (file)
--- a/src/manipulation/_evalUrl.js
+++ b/src/manipulation/_evalUrl.js
@@ -4,7 +4,7 @@ define( [
 
 "use strict";
 
-jQuery._evalUrl = function( url ) {
+jQuery._evalUrl = function( url, options ) {
        return jQuery.ajax( {
                url: url,
 
@@ -22,7 +22,7 @@ jQuery._evalUrl = function( url ) {
                        "text script": function() {}
                },
                dataFilter: function( response ) {
-                       jQuery.globalEval( response );
+                       jQuery.globalEval( response, options );
                }
        } );
 };
diff --git a/test/data/csp-nonce-external.html b/test/data/csp-nonce-external.html
new file mode 100644 (file)
index 0000000..8baa85c
--- /dev/null
+++ b/test/data/csp-nonce-external.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+       <title>CSP nonce via jQuery.globalEval Test Page</title>
+       <script nonce="jquery+hardcoded+nonce" src="../jquery.js"></script>
+       <script nonce="jquery+hardcoded+nonce" src="iframeTest.js"></script>
+       <script nonce="jquery+hardcoded+nonce" src="csp-nonce-external.js"></script>
+</head>
+<body>
+       <p>CSP nonce for external script Test Page</p>
+</body>
+</html>
diff --git a/test/data/csp-nonce-external.js b/test/data/csp-nonce-external.js
new file mode 100644 (file)
index 0000000..efedd5a
--- /dev/null
+++ b/test/data/csp-nonce-external.js
@@ -0,0 +1,5 @@
+/* global startIframeTest */
+
+jQuery( function() {
+       $( "body" ).append( "<script nonce='jquery+hardcoded+nonce' src='csp-nonce.js'></script>" );
+} );
diff --git a/test/unit/manipulation.js b/test/unit/manipulation.js
index d8c86e31cb5f4726f351aba51b08b1fa988d5fac..b0d3e3a884a8cc9b689bb7dc6e9371cf9fccf3e1 100644 (file)
--- a/test/unit/manipulation.js
+++ b/test/unit/manipulation.js
@@ -2894,6 +2894,29 @@ testIframe(
        QUnit[ /\bedge\/|iphone os [789]|android 4\./i.test( navigator.userAgent ) ? "skip" : "test" ]
 );
 
+testIframe(
+    "Check if CSP nonce is preserved for external scripts with src attribute",
+    "mock.php?action=cspNonce&test=external",
+    function( assert, jQuery, window, document ) {
+        var done = assert.async();
+
+        assert.expect( 1 );
+
+        supportjQuery.get( baseURL + "support/csp.log" ).done( function( data ) {
+            assert.equal( data, "", "No log request should be sent" );
+            supportjQuery.get( baseURL + "mock.php?action=cspClean" ).done( done );
+        } );
+    },
+
+    // Support: Edge 18+, iOS 7-9 only, Android 4.0-4.4 only
+    // Edge doesn't support nonce in non-inline scripts.
+    // See https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/13246371/
+    // Old iOS & Android Browser versions support script-src but not nonce, making this test
+    // impossible to run. Browsers not supporting CSP at all are not a problem as they'll skip
+    // script-src restrictions completely.
+    QUnit[ /\bedge\/|iphone os [789]|android 4\./i.test( navigator.userAgent ) ? "skip" : "test" ]
+);
+
 testIframe(
        "jQuery.globalEval supports nonce",
        "mock.php?action=cspNonce&test=globaleval",
jQuery JavaScript Library: https://github.com/jquery/jquery