Core: Preserve CSP nonce on scripts with src attribute in DOM manipulation

Fixes gh-4323
Closes gh-4328

2 files changed, 5 insertions, 3 deletions

diff --git a/src/manipulation.js b/src/manipulation.js
index 7dbc92689..ab19d8b3c 100644
--- a/src/manipulation.js
+++ b/src/manipulation.js
@@ -199,7 +199,9 @@ function domManip( collection, args, callback, ignored ) {
 
 							// Optional AJAX dependency, but won't run scripts if not present
 							if ( jQuery._evalUrl && !node.noModule ) {
-								jQuery._evalUrl( node.src );
+								jQuery._evalUrl( node.src, {
+									nonce: node.nonce || node.getAttribute( "nonce" )
+								} );
 							}
 						} else {
 							DOMEval( node.textContent.replace( rcleanScript, "" ), node, doc );
diff --git a/src/manipulation/_evalUrl.js b/src/manipulation/_evalUrl.js
index e20995a89..9a4d2ac6f 100644
--- a/src/manipulation/_evalUrl.js
+++ b/src/manipulation/_evalUrl.js
@@ -4,7 +4,7 @@ define( [
 
 "use strict";
 
-jQuery._evalUrl = function( url ) {
+jQuery._evalUrl = function( url, options ) {
 	return jQuery.ajax( {
 		url: url,
 
@@ -22,7 +22,7 @@ jQuery._evalUrl = function( url ) {
 			"text script": function() {}
 		},
 		dataFilter: function( response ) {
-			jQuery.globalEval( response );
+			jQuery.globalEval( response, options );
 		}
 	} );
 };