Add another tweak for handling CSP - we need to make sure that we don't trigger any...
authorJohn Resig <jeresig@gmail.com>
Tue, 18 Jan 2011 20:13:09 +0000 (15:13 -0500)
committerJohn Resig <jeresig@gmail.com>
Tue, 18 Jan 2011 20:13:09 +0000 (15:13 -0500)
src/support.js
test/csp.php [new file with mode: 0644]

index f502811..7be28fd 100644 (file)
@@ -75,7 +75,7 @@
        jQuery.support.optDisabled = !opt.disabled;
 
        jQuery.support.scriptEval = function() {
        jQuery.support.optDisabled = !opt.disabled;
 
        jQuery.support.scriptEval = function() {
-               if ( jQuery.support._scriptEval === null) {
+               if ( jQuery.support._scriptEval === null ) {
                        var root = document.documentElement,
                                script = document.createElement("script"),
                                id = "script" + jQuery.now();
                        var root = document.documentElement,
                                script = document.createElement("script"),
                                id = "script" + jQuery.now();
                        // release memory in IE
                        root = script = id  = null;
                }
                        // release memory in IE
                        root = script = id  = null;
                }
+
                return jQuery.support._scriptEval;
        };
 
                return jQuery.support._scriptEval;
        };
 
                var el = document.createElement("div");
                eventName = "on" + eventName;
 
                var el = document.createElement("div");
                eventName = "on" + eventName;
 
+               // We only care about the case where non-standard event systems
+               // are used, namely in IE. Short-circuiting here helps us to
+               // avoid an eval call (in setAttribute) which can cause CSP
+               // to go haywire. See: https://developer.mozilla.org/en/Security/CSP
+               if ( !el.attachEvent ) {
+                       return true;
+               }
+
                var isSupported = (eventName in el);
                if ( !isSupported ) {
                        el.setAttribute(eventName, "return;");
                var isSupported = (eventName in el);
                if ( !isSupported ) {
                        el.setAttribute(eventName, "return;");
diff --git a/test/csp.php b/test/csp.php
new file mode 100644 (file)
index 0000000..acf8f32
--- /dev/null
@@ -0,0 +1,30 @@
+<?php header("X-Content-Security-Policy-Report-Only: allow *"); ?>
+<!DOCTYPE html>
+<html>
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+       <title>CSP Test Page</title>
+
+  <script src="../src/core.js"></script>
+  <script src="../src/support.js"></script>
+  <script src="../src/data.js"></script>
+  <script src="../src/queue.js"></script>
+  <script src="../src/attributes.js"></script>
+  <script src="../src/event.js"></script>
+  <script src="../src/sizzle/sizzle.js"></script>
+  <script src="../src/sizzle-jquery.js"></script>
+  <script src="../src/traversing.js"></script>
+  <script src="../src/manipulation.js"></script>
+  <script src="../src/css.js"></script>
+  <script src="../src/ajax.js"></script>
+  <script src="../src/ajax/jsonp.js"></script>
+  <script src="../src/ajax/script.js"></script>
+  <script src="../src/ajax/xhr.js"></script>
+  <script src="../src/effects.js"></script>
+  <script src="../src/offset.js"></script>
+  <script src="../src/dimensions.js"></script>
+</head>
+<body>
+       <p>CSP Test Page</p>
+</body>
+</html>