Core: Preserve CSP nonce on scripts with src attribute in DOM manipulation

Fixes gh-4323 Closes gh-4328
author: buddh4 <mail@jharrer.de> 2019-03-19 22:40:30 +0100
committer: Michał Gołębiowski-Owczarek <m.goleb@gmail.com> 2019-03-25 18:14:24 +0100
commit: 005040379d8b64aacbe54941d878efa6e86df1cc (patch)
tree: 158b1b84fcddcb4271aa5df2955ec017aca6e4e9 /test/data
parent: fe5f04de8fde9c69ed48283b99280aa6df3795c7 (diff)
download: jquery-005040379d8b64aacbe54941d878efa6e86df1cc.tar.gz
jquery-005040379d8b64aacbe54941d878efa6e86df1cc.zip
2 files changed, 18 insertions, 0 deletions
diff --git a/test/data/csp-nonce-external.html b/test/data/csp-nonce-external.html
new file mode 100644
index 000000000..8baa85c75
--- /dev/null
+++ b/test/data/csp-nonce-external.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+	<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+	<title>CSP nonce via jQuery.globalEval Test Page</title>
+	<script nonce="jquery+hardcoded+nonce" src="../jquery.js"></script>
+	<script nonce="jquery+hardcoded+nonce" src="iframeTest.js"></script>
+	<script nonce="jquery+hardcoded+nonce" src="csp-nonce-external.js"></script>
+</head>
+<body>
+	<p>CSP nonce for external script Test Page</p>
+</body>
+</html>
diff --git a/test/data/csp-nonce-external.js b/test/data/csp-nonce-external.js
new file mode 100644
index 000000000..efedd5a9a
--- /dev/null
+++ b/test/data/csp-nonce-external.js
@@ -0,0 +1,5 @@
+/* global startIframeTest */
+
+jQuery( function() {
+	$( "body" ).append( "<script nonce='jquery+hardcoded+nonce' src='csp-nonce.js'></script>" );
+} );
author	buddh4 <mail@jharrer.de>	2019-03-19 22:40:30 +0100
committer	Michał Gołębiowski-Owczarek <m.goleb@gmail.com>	2019-03-25 18:14:24 +0100
commit	005040379d8b64aacbe54941d878efa6e86df1cc (patch)
tree	158b1b84fcddcb4271aa5df2955ec017aca6e4e9 /test/data
parent	fe5f04de8fde9c69ed48283b99280aa6df3795c7 (diff)
download	jquery-005040379d8b64aacbe54941d878efa6e86df1cc.tar.gz jquery-005040379d8b64aacbe54941d878efa6e86df1cc.zip