Move initCore to the bundle

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

1 files changed, 27 insertions, 0 deletions

diff --git a/core/src/jquery/index.js b/core/src/jquery/index.js
index 71659137b3e..43b379fd2e5 100644
--- a/core/src/jquery/index.js
+++ b/core/src/jquery/index.js
@@ -19,6 +19,8 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+import $ from 'jquery'
+
 import './avatar'
 import './contactsmenu'
 import './exists'
@@ -33,3 +35,28 @@ import './ui-fixes'
 
 import './css/jquery-ui-fixes.scss'
 import './css/jquery.ocdialog.scss'
+
+/**
+ * Disable automatic evaluation of responses for $.ajax() functions (and its
+ * higher-level alternatives like $.get() and $.post()).
+ *
+ * If a response to a $.ajax() request returns a content type of "application/javascript"
+ * JQuery would previously execute the response body. This is a pretty unexpected
+ * behaviour and can result in a bypass of our Content-Security-Policy as well as
+ * multiple unexpected XSS vectors.
+ */
+$.ajaxSetup({
+	contents: {
+		script: false
+	}
+})
+
+/**
+ * Disable execution of eval in jQuery. We do require an allowed eval CSP
+ * configuration at the moment for handlebars et al. But for jQuery there is
+ * not much of a reason to execute JavaScript directly via eval.
+ *
+ * This thus mitigates some unexpected XSS vectors.
+ */
+$.globalEval = function () {
+}