jQuery.support.optDisabled = !opt.disabled;
jQuery.support.scriptEval = function() {
- if ( jQuery.support._scriptEval === null) {
+ if ( jQuery.support._scriptEval === null ) {
var root = document.documentElement,
script = document.createElement("script"),
id = "script" + jQuery.now();
// release memory in IE
root = script = id = null;
}
+
return jQuery.support._scriptEval;
};
var el = document.createElement("div");
eventName = "on" + eventName;
+ // We only care about the case where non-standard event systems
+ // are used, namely in IE. Short-circuiting here helps us to
+ // avoid an eval call (in setAttribute) which can cause CSP
+ // to go haywire. See: https://developer.mozilla.org/en/Security/CSP
+ if ( !el.attachEvent ) {
+ return true;
+ }
+
var isSupported = (eventName in el);
if ( !isSupported ) {
el.setAttribute(eventName, "return;");
--- /dev/null
+<?php header("X-Content-Security-Policy-Report-Only: allow *"); ?>
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+ <title>CSP Test Page</title>
+
+ <script src="../src/core.js"></script>
+ <script src="../src/support.js"></script>
+ <script src="../src/data.js"></script>
+ <script src="../src/queue.js"></script>
+ <script src="../src/attributes.js"></script>
+ <script src="../src/event.js"></script>
+ <script src="../src/sizzle/sizzle.js"></script>
+ <script src="../src/sizzle-jquery.js"></script>
+ <script src="../src/traversing.js"></script>
+ <script src="../src/manipulation.js"></script>
+ <script src="../src/css.js"></script>
+ <script src="../src/ajax.js"></script>
+ <script src="../src/ajax/jsonp.js"></script>
+ <script src="../src/ajax/script.js"></script>
+ <script src="../src/ajax/xhr.js"></script>
+ <script src="../src/effects.js"></script>
+ <script src="../src/offset.js"></script>
+ <script src="../src/dimensions.js"></script>
+</head>
+<body>
+ <p>CSP Test Page</p>
+</body>
+</html>