From 005040379d8b64aacbe54941d878efa6e86df1cc Mon Sep 17 00:00:00 2001
From: buddh4 <mail@jharrer.de>
Date: Tue, 19 Mar 2019 22:40:30 +0100
Subject: Core: Preserve CSP nonce on scripts with src attribute in DOM
 manipulation

Fixes gh-4323
Closes gh-4328
---
 src/manipulation.js          | 4 +++-
 src/manipulation/_evalUrl.js | 4 ++--
 2 files changed, 5 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/manipulation.js b/src/manipulation.js
index 7dbc92689..ab19d8b3c 100644
--- a/src/manipulation.js
+++ b/src/manipulation.js
@@ -199,7 +199,9 @@ function domManip( collection, args, callback, ignored ) {
 
 							// Optional AJAX dependency, but won't run scripts if not present
 							if ( jQuery._evalUrl && !node.noModule ) {
-								jQuery._evalUrl( node.src );
+								jQuery._evalUrl( node.src, {
+									nonce: node.nonce || node.getAttribute( "nonce" )
+								} );
 							}
 						} else {
 							DOMEval( node.textContent.replace( rcleanScript, "" ), node, doc );
diff --git a/src/manipulation/_evalUrl.js b/src/manipulation/_evalUrl.js
index e20995a89..9a4d2ac6f 100644
--- a/src/manipulation/_evalUrl.js
+++ b/src/manipulation/_evalUrl.js
@@ -4,7 +4,7 @@ define( [
 
 "use strict";
 
-jQuery._evalUrl = function( url ) {
+jQuery._evalUrl = function( url, options ) {
 	return jQuery.ajax( {
 		url: url,
 
@@ -22,7 +22,7 @@ jQuery._evalUrl = function( url ) {
 			"text script": function() {}
 		},
 		dataFilter: function( response ) {
-			jQuery.globalEval( response );
+			jQuery.globalEval( response, options );
 		}
 	} );
 };
-- 
cgit v1.2.3