diff options
author | John Resig <jeresig@gmail.com> | 2011-01-18 15:13:09 -0500 |
---|---|---|
committer | John Resig <jeresig@gmail.com> | 2011-01-18 15:13:09 -0500 |
commit | 9c763ad39d42c54d24f659e7895a8f361a08d27c (patch) | |
tree | 3deddc380e94e89e5f95aba67974fa49744f29e4 /src | |
parent | c1d719b580ea78c33961113030d7fa25bcc98e6f (diff) | |
download | jquery-9c763ad39d42c54d24f659e7895a8f361a08d27c.tar.gz jquery-9c763ad39d42c54d24f659e7895a8f361a08d27c.zip |
Add another tweak for handling CSP - we need to make sure that we don't trigger any eval on load (not sure if it's the best tweak, definitely not ideal). Add a test page as well so that it's easier to catch problem.
Diffstat (limited to 'src')
-rw-r--r-- | src/support.js | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/src/support.js b/src/support.js index f502811ae..7be28fdaf 100644 --- a/src/support.js +++ b/src/support.js @@ -75,7 +75,7 @@ jQuery.support.optDisabled = !opt.disabled; jQuery.support.scriptEval = function() { - if ( jQuery.support._scriptEval === null) { + if ( jQuery.support._scriptEval === null ) { var root = document.documentElement, script = document.createElement("script"), id = "script" + jQuery.now(); @@ -101,6 +101,7 @@ // release memory in IE root = script = id = null; } + return jQuery.support._scriptEval; }; @@ -187,6 +188,14 @@ var el = document.createElement("div"); eventName = "on" + eventName; + // We only care about the case where non-standard event systems + // are used, namely in IE. Short-circuiting here helps us to + // avoid an eval call (in setAttribute) which can cause CSP + // to go haywire. See: https://developer.mozilla.org/en/Security/CSP + if ( !el.attachEvent ) { + return true; + } + var isSupported = (eventName in el); if ( !isSupported ) { el.setAttribute(eventName, "return;"); |