From c7c2855ed13f23322c4064407c1ed84561b95738 Mon Sep 17 00:00:00 2001 From: Michał Gołębiowski-Owczarek Date: Mon, 14 Jan 2019 19:29:54 +0100 Subject: Core: Preserve CSP nonce on scripts in DOM manipulation Fixes gh-3541 Closes gh-4269 --- src/core/DOMEval.js | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'src/core') diff --git a/src/core/DOMEval.js b/src/core/DOMEval.js index 199ec9518..8d2d0023b 100644 --- a/src/core/DOMEval.js +++ b/src/core/DOMEval.js @@ -6,6 +6,7 @@ define( [ var preservedScriptAttributes = { type: true, src: true, + nonce: true, noModule: true }; @@ -20,6 +21,15 @@ define( [ for ( i in preservedScriptAttributes ) { if ( node[ i ] ) { script[ i ] = node[ i ]; + } else if ( node.getAttribute( i ) ) { + + // Support: Firefox 64+, Edge 18+ + // Some browsers don't support the "nonce" property on scripts. + // On the other hand, just using `setAttribute` & `getAttribute` + // is not enough as `nonce` is no longer exposed as an attribute + // in the latest standard. + // See https://github.com/whatwg/html/issues/2369 + script.setAttribute( i, node.getAttribute( i ) ); } } } -- cgit v1.2.3