Core: Preserve CSP nonce on scripts with src attribute in DOM manipulation

Fixes gh-4323 Closes gh-4328
author: buddh4 <mail@jharrer.de> 2019-03-19 22:40:30 +0100
committer: Michał Gołębiowski-Owczarek <m.goleb@gmail.com> 2019-03-25 18:14:24 +0100
commit: 005040379d8b64aacbe54941d878efa6e86df1cc (patch)
tree: 158b1b84fcddcb4271aa5df2955ec017aca6e4e9 /src/manipulation.js
parent: fe5f04de8fde9c69ed48283b99280aa6df3795c7 (diff)
download: jquery-005040379d8b64aacbe54941d878efa6e86df1cc.tar.gz
jquery-005040379d8b64aacbe54941d878efa6e86df1cc.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/src/manipulation.js b/src/manipulation.js
index 7dbc92689..ab19d8b3c 100644
--- a/src/manipulation.js
+++ b/src/manipulation.js
@@ -199,7 +199,9 @@ function domManip( collection, args, callback, ignored ) {
 
 							// Optional AJAX dependency, but won't run scripts if not present
 							if ( jQuery._evalUrl && !node.noModule ) {
-								jQuery._evalUrl( node.src );
+								jQuery._evalUrl( node.src, {
+									nonce: node.nonce || node.getAttribute( "nonce" )
+								} );
 							}
 						} else {
 							DOMEval( node.textContent.replace( rcleanScript, "" ), node, doc );
author	buddh4 <mail@jharrer.de>	2019-03-19 22:40:30 +0100
committer	Michał Gołębiowski-Owczarek <m.goleb@gmail.com>	2019-03-25 18:14:24 +0100
commit	005040379d8b64aacbe54941d878efa6e86df1cc (patch)
tree	158b1b84fcddcb4271aa5df2955ec017aca6e4e9 /src/manipulation.js
parent	fe5f04de8fde9c69ed48283b99280aa6df3795c7 (diff)
download	jquery-005040379d8b64aacbe54941d878efa6e86df1cc.tar.gz jquery-005040379d8b64aacbe54941d878efa6e86df1cc.zip