aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJohn Resig <jeresig@gmail.com>2011-01-18 15:13:09 -0500
committerJohn Resig <jeresig@gmail.com>2011-01-18 15:13:09 -0500
commit9c763ad39d42c54d24f659e7895a8f361a08d27c (patch)
tree3deddc380e94e89e5f95aba67974fa49744f29e4 /src
parentc1d719b580ea78c33961113030d7fa25bcc98e6f (diff)
downloadjquery-9c763ad39d42c54d24f659e7895a8f361a08d27c.tar.gz
jquery-9c763ad39d42c54d24f659e7895a8f361a08d27c.zip
Add another tweak for handling CSP - we need to make sure that we don't trigger any eval on load (not sure if it's the best tweak, definitely not ideal). Add a test page as well so that it's easier to catch problem.
Diffstat (limited to 'src')
-rw-r--r--src/support.js11
1 files changed, 10 insertions, 1 deletions
diff --git a/src/support.js b/src/support.js
index f502811ae..7be28fdaf 100644
--- a/src/support.js
+++ b/src/support.js
@@ -75,7 +75,7 @@
jQuery.support.optDisabled = !opt.disabled;
jQuery.support.scriptEval = function() {
- if ( jQuery.support._scriptEval === null) {
+ if ( jQuery.support._scriptEval === null ) {
var root = document.documentElement,
script = document.createElement("script"),
id = "script" + jQuery.now();
@@ -101,6 +101,7 @@
// release memory in IE
root = script = id = null;
}
+
return jQuery.support._scriptEval;
};
@@ -187,6 +188,14 @@
var el = document.createElement("div");
eventName = "on" + eventName;
+ // We only care about the case where non-standard event systems
+ // are used, namely in IE. Short-circuiting here helps us to
+ // avoid an eval call (in setAttribute) which can cause CSP
+ // to go haywire. See: https://developer.mozilla.org/en/Security/CSP
+ if ( !el.attachEvent ) {
+ return true;
+ }
+
var isSupported = (eventName in el);
if ( !isSupported ) {
el.setAttribute(eventName, "return;");