var preservedScriptAttributes = {
type: true,
src: true,
+ nonce: true,
noModule: true
};
for ( i in preservedScriptAttributes ) {
if ( node[ i ] ) {
script[ i ] = node[ i ];
+ } else if ( node.getAttribute( i ) ) {
+
+ // Support: Firefox 64+, Edge 18+
+ // Some browsers don't support the "nonce" property on scripts.
+ // On the other hand, just using `setAttribute` & `getAttribute`
+ // is not enough as `nonce` is no longer exposed as an attribute
+ // in the latest standard.
+ // See https://github.com/whatwg/html/issues/2369
+ script.setAttribute( i, node.getAttribute( i ) );
}
}
}
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+ <title>CSP nonce Test Page</title>
+ <script nonce="jquery+hardcoded+nonce" src="../jquery.js"></script>
+ <script nonce="jquery+hardcoded+nonce" src="iframeTest.js"></script>
+ <script nonce="jquery+hardcoded+nonce" src="csp-nonce.js"></script>
+</head>
+<body>
+ <p>CSP nonce Test Page</p>
+</body>
+</html>
--- /dev/null
+/* global startIframeTest */
+
+jQuery( function() {
+ var script = document.createElement( "script" );
+ script.setAttribute( "nonce", "jquery+hardcoded+nonce" );
+ script.innerHTML = "startIframeTest()";
+ $( document.head ).append( script );
+} );
echo file_get_contents( __DIR__ . '/csp.include.html' );
}
+ protected function cspNonce( $req ) {
+ // This is CSP only for browsers with "Content-Security-Policy" header support
+ // i.e. no old WebKit or old Firefox
+ header( "Content-Security-Policy: script-src 'nonce-jquery+hardcoded+nonce'; report-uri ./mock.php?action=cspLog" );
+ header( 'Content-type: text/html' );
+ echo file_get_contents( __DIR__ . '/csp-nonce.html' );
+ }
+
protected function cspLog( $req ) {
file_put_contents( $this->cspFile, 'error' );
}
// Otherwise, load synchronously
} else {
- document.write( "<script id='jquery-js' src='" + parentUrl + src + "'><\x2Fscript>" );
+ document.write( "<script id='jquery-js' nonce='jquery+hardcoded+nonce' src='" + parentUrl + src + "'><\x2Fscript>" );
}
} )();
var body = fs.readFileSync( __dirname + "/data/csp.include.html" ).toString();
resp.end( body );
},
+ cspNonce: function( req, resp ) {
+ resp.writeHead( 200, {
+ "Content-Type": "text/html",
+ "Content-Security-Policy": "script-src 'nonce-jquery+hardcoded+nonce'; report-uri /base/test/data/mock.php?action=cspLog"
+ } );
+ var body = fs.readFileSync( __dirname + "/data/csp-nonce.html" ).toString();
+ resp.end( body );
+ },
cspLog: function( req, resp ) {
cspLog = "error";
resp.writeHead( 200 );
jQuery.globalEval = globalEval;
}
} );
+
+testIframe(
+ "Check if CSP nonce is preserved",
+ "mock.php?action=cspNonce",
+ function( assert, jQuery, window, document ) {
+ var done = assert.async();
+
+ assert.expect( 1 );
+
+ supportjQuery.get( baseURL + "support/csp.log" ).done( function( data ) {
+ assert.equal( data, "", "No log request should be sent" );
+ supportjQuery.get( baseURL + "mock.php?action=cspClean" ).done( done );
+ } );
+ },
+
+ // Support: Edge 18+
+ // Edge doesn't support nonce in non-inline scripts.
+ // See https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/13246371/
+ QUnit[ /\bedge\//i.test( navigator.userAgent ) ? "skip" : "test" ]
+);
projects / jquery.git / commitdiff