diff options
| author | Michał Gołębiowski-Owczarek <m.goleb@gmail.com> | 2019-01-21 18:42:39 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-01-21 18:42:39 +0100 |
| commit | 5bdc85b82b84e5459462ddad9002f22d1ce74f21 (patch) | |
| tree | 226cbd30d60195d6cf418267852b64188de04050 /src | |
| parent | e4de8b4626f8872a4cb1ee241b60902653567503 (diff) | |
| download | jquery-5bdc85b82b84e5459462ddad9002f22d1ce74f21.tar.gz jquery-5bdc85b82b84e5459462ddad9002f22d1ce74f21.zip | |
Core: Support passing nonce through jQuery.globalEval
Fixes gh-4278
Closes gh-4280
Ref gh-3541
Ref gh-4269
Diffstat (limited to 'src')
| -rw-r--r-- | src/core.js | 4 | ||||
| -rw-r--r-- | src/core/DOMEval.js | 27 | ||||
| -rw-r--r-- | src/manipulation.js | 2 |
3 files changed, 18 insertions, 15 deletions
diff --git a/src/core.js b/src/core.js index 84f9afe13..d9c7e9882 100644 --- a/src/core.js +++ b/src/core.js @@ -238,8 +238,8 @@ jQuery.extend( { }, // Evaluates a script in a global context - globalEval: function( code ) { - DOMEval( code ); + globalEval: function( code, options ) { + DOMEval( code, { nonce: options && options.nonce } ); }, each: function( obj, callback ) { diff --git a/src/core/DOMEval.js b/src/core/DOMEval.js index 8d2d0023b..59f6e0247 100644 --- a/src/core/DOMEval.js +++ b/src/core/DOMEval.js @@ -10,26 +10,29 @@ define( [ noModule: true }; - function DOMEval( code, doc, node ) { + function DOMEval( code, node, doc ) { doc = doc || document; - var i, + var i, val, script = doc.createElement( "script" ); script.text = code; if ( node ) { for ( i in preservedScriptAttributes ) { - if ( node[ i ] ) { - script[ i ] = node[ i ]; - } else if ( node.getAttribute( i ) ) { - // Support: Firefox 64+, Edge 18+ - // Some browsers don't support the "nonce" property on scripts. - // On the other hand, just using `setAttribute` & `getAttribute` - // is not enough as `nonce` is no longer exposed as an attribute - // in the latest standard. - // See https://github.com/whatwg/html/issues/2369 - script.setAttribute( i, node.getAttribute( i ) ); + // Support: Firefox 64+, Edge 18+ + // Some browsers don't support the "nonce" property on scripts. + // On the other hand, just using `getAttribute` is not enough as + // the `nonce` attribute is reset to an empty string whenever it + // becomes browsing-context connected. + // See https://github.com/whatwg/html/issues/2369 + // See https://html.spec.whatwg.org/#nonce-attributes + // The `node.getAttribute` check was added for the sake of + // `jQuery.globalEval` so that it can fake a nonce-containing node + // via an object. + val = node[ i ] || node.getAttribute && node.getAttribute( i ); + if ( val ) { + script.setAttribute( i, val ); } } } diff --git a/src/manipulation.js b/src/manipulation.js index 042728573..a24a5cc0c 100644 --- a/src/manipulation.js +++ b/src/manipulation.js @@ -202,7 +202,7 @@ function domManip( collection, args, callback, ignored ) { jQuery._evalUrl( node.src ); } } else { - DOMEval( node.textContent.replace( rcleanScript, "" ), doc, node ); + DOMEval( node.textContent.replace( rcleanScript, "" ), node, doc ); } } } |