diff options
| -rw-r--r-- | src/manipulation.js | 4 | ||||
| -rw-r--r-- | src/manipulation/_evalUrl.js | 4 | ||||
| -rw-r--r-- | test/data/csp-nonce-external.html | 13 | ||||
| -rw-r--r-- | test/data/csp-nonce-external.js | 5 | ||||
| -rw-r--r-- | test/unit/manipulation.js | 23 |
5 files changed, 46 insertions, 3 deletions
diff --git a/src/manipulation.js b/src/manipulation.js index 7dbc92689..ab19d8b3c 100644 --- a/src/manipulation.js +++ b/src/manipulation.js @@ -199,7 +199,9 @@ function domManip( collection, args, callback, ignored ) { // Optional AJAX dependency, but won't run scripts if not present if ( jQuery._evalUrl && !node.noModule ) { - jQuery._evalUrl( node.src ); + jQuery._evalUrl( node.src, { + nonce: node.nonce || node.getAttribute( "nonce" ) + } ); } } else { DOMEval( node.textContent.replace( rcleanScript, "" ), node, doc ); diff --git a/src/manipulation/_evalUrl.js b/src/manipulation/_evalUrl.js index e20995a89..9a4d2ac6f 100644 --- a/src/manipulation/_evalUrl.js +++ b/src/manipulation/_evalUrl.js @@ -4,7 +4,7 @@ define( [ "use strict"; -jQuery._evalUrl = function( url ) { +jQuery._evalUrl = function( url, options ) { return jQuery.ajax( { url: url, @@ -22,7 +22,7 @@ jQuery._evalUrl = function( url ) { "text script": function() {} }, dataFilter: function( response ) { - jQuery.globalEval( response ); + jQuery.globalEval( response, options ); } } ); }; diff --git a/test/data/csp-nonce-external.html b/test/data/csp-nonce-external.html new file mode 100644 index 000000000..8baa85c75 --- /dev/null +++ b/test/data/csp-nonce-external.html @@ -0,0 +1,13 @@ +<!DOCTYPE html> +<html> +<head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + <title>CSP nonce via jQuery.globalEval Test Page</title> + <script nonce="jquery+hardcoded+nonce" src="../jquery.js"></script> + <script nonce="jquery+hardcoded+nonce" src="iframeTest.js"></script> + <script nonce="jquery+hardcoded+nonce" src="csp-nonce-external.js"></script> +</head> +<body> + <p>CSP nonce for external script Test Page</p> +</body> +</html> diff --git a/test/data/csp-nonce-external.js b/test/data/csp-nonce-external.js new file mode 100644 index 000000000..efedd5a9a --- /dev/null +++ b/test/data/csp-nonce-external.js @@ -0,0 +1,5 @@ +/* global startIframeTest */ + +jQuery( function() { + $( "body" ).append( "<script nonce='jquery+hardcoded+nonce' src='csp-nonce.js'></script>" ); +} ); diff --git a/test/unit/manipulation.js b/test/unit/manipulation.js index d8c86e31c..b0d3e3a88 100644 --- a/test/unit/manipulation.js +++ b/test/unit/manipulation.js @@ -2895,6 +2895,29 @@ testIframe( ); testIframe( + "Check if CSP nonce is preserved for external scripts with src attribute", + "mock.php?action=cspNonce&test=external", + function( assert, jQuery, window, document ) { + var done = assert.async(); + + assert.expect( 1 ); + + supportjQuery.get( baseURL + "support/csp.log" ).done( function( data ) { + assert.equal( data, "", "No log request should be sent" ); + supportjQuery.get( baseURL + "mock.php?action=cspClean" ).done( done ); + } ); + }, + + // Support: Edge 18+, iOS 7-9 only, Android 4.0-4.4 only + // Edge doesn't support nonce in non-inline scripts. + // See https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/13246371/ + // Old iOS & Android Browser versions support script-src but not nonce, making this test + // impossible to run. Browsers not supporting CSP at all are not a problem as they'll skip + // script-src restrictions completely. + QUnit[ /\bedge\/|iphone os [789]|android 4\./i.test( navigator.userAgent ) ? "skip" : "test" ] +); + +testIframe( "jQuery.globalEval supports nonce", "mock.php?action=cspNonce&test=globaleval", function( assert, jQuery, window, document ) { |