Core: Preserve CSP nonce on scripts in DOM manipulation

Fixes gh-3541 Closes gh-4269
author: Michał Gołębiowski-Owczarek <m.goleb@gmail.com> 2019-01-14 19:29:54 +0100
committer: GitHub <noreply@github.com> 2019-01-14 19:29:54 +0100
commit: c7c2855ed13f23322c4064407c1ed84561b95738 (patch)
tree: 0bae25a4dd554f3066fdc1df65ecf6ea43d81752 /src/core
parent: 9cb162f6b62b6d4403060a0f0d2065d3ae96bbcc (diff)
download: jquery-c7c2855ed13f23322c4064407c1ed84561b95738.tar.gz
jquery-c7c2855ed13f23322c4064407c1ed84561b95738.zip
1 files changed, 10 insertions, 0 deletions
diff --git a/src/core/DOMEval.js b/src/core/DOMEval.js
index 199ec9518..8d2d0023b 100644
--- a/src/core/DOMEval.js
+++ b/src/core/DOMEval.js
@@ -6,6 +6,7 @@ define( [
 	var preservedScriptAttributes = {
 		type: true,
 		src: true,
+		nonce: true,
 		noModule: true
 	};
 
@@ -20,6 +21,15 @@ define( [
 			for ( i in preservedScriptAttributes ) {
 				if ( node[ i ] ) {
 					script[ i ] = node[ i ];
+				} else if ( node.getAttribute( i ) ) {
+
+					// Support: Firefox 64+, Edge 18+
+					// Some browsers don't support the "nonce" property on scripts.
+					// On the other hand, just using `setAttribute` & `getAttribute`
+					// is not enough as `nonce` is no longer exposed as an attribute
+					// in the latest standard.
+					// See https://github.com/whatwg/html/issues/2369
+					script.setAttribute( i, node.getAttribute( i ) );
 				}
 			}
 		}
author	Michał Gołębiowski-Owczarek <m.goleb@gmail.com>	2019-01-14 19:29:54 +0100
committer	GitHub <noreply@github.com>	2019-01-14 19:29:54 +0100
commit	c7c2855ed13f23322c4064407c1ed84561b95738 (patch)
tree	0bae25a4dd554f3066fdc1df65ecf6ea43d81752 /src/core
parent	9cb162f6b62b6d4403060a0f0d2065d3ae96bbcc (diff)
download	jquery-c7c2855ed13f23322c4064407c1ed84561b95738.tar.gz jquery-c7c2855ed13f23322c4064407c1ed84561b95738.zip