diff options
| -rw-r--r-- | src/support.js | 11 | ||||
| -rw-r--r-- | test/csp.php | 30 |
2 files changed, 40 insertions, 1 deletions
diff --git a/src/support.js b/src/support.js index f502811ae..7be28fdaf 100644 --- a/src/support.js +++ b/src/support.js @@ -75,7 +75,7 @@ jQuery.support.optDisabled = !opt.disabled; jQuery.support.scriptEval = function() { - if ( jQuery.support._scriptEval === null) { + if ( jQuery.support._scriptEval === null ) { var root = document.documentElement, script = document.createElement("script"), id = "script" + jQuery.now(); @@ -101,6 +101,7 @@ // release memory in IE root = script = id = null; } + return jQuery.support._scriptEval; }; @@ -187,6 +188,14 @@ var el = document.createElement("div"); eventName = "on" + eventName; + // We only care about the case where non-standard event systems + // are used, namely in IE. Short-circuiting here helps us to + // avoid an eval call (in setAttribute) which can cause CSP + // to go haywire. See: https://developer.mozilla.org/en/Security/CSP + if ( !el.attachEvent ) { + return true; + } + var isSupported = (eventName in el); if ( !isSupported ) { el.setAttribute(eventName, "return;"); diff --git a/test/csp.php b/test/csp.php new file mode 100644 index 000000000..acf8f32c9 --- /dev/null +++ b/test/csp.php @@ -0,0 +1,30 @@ +<?php header("X-Content-Security-Policy-Report-Only: allow *"); ?> +<!DOCTYPE html> +<html> +<head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + <title>CSP Test Page</title> + + <script src="../src/core.js"></script> + <script src="../src/support.js"></script> + <script src="../src/data.js"></script> + <script src="../src/queue.js"></script> + <script src="../src/attributes.js"></script> + <script src="../src/event.js"></script> + <script src="../src/sizzle/sizzle.js"></script> + <script src="../src/sizzle-jquery.js"></script> + <script src="../src/traversing.js"></script> + <script src="../src/manipulation.js"></script> + <script src="../src/css.js"></script> + <script src="../src/ajax.js"></script> + <script src="../src/ajax/jsonp.js"></script> + <script src="../src/ajax/script.js"></script> + <script src="../src/ajax/xhr.js"></script> + <script src="../src/effects.js"></script> + <script src="../src/offset.js"></script> + <script src="../src/dimensions.js"></script> +</head> +<body> + <p>CSP Test Page</p> +</body> +</html> |