Side navigation
#12037 closed bug (duplicate)
Opened July 07, 2012 10:11AM UTC
Closed July 07, 2012 08:48PM UTC
Last modified July 07, 2012 08:48PM UTC
jQuery triggers default CSP inline style blocking
Reported by: | davidben | Owned by: | |
---|---|---|---|
Priority: | undecided | Milestone: | None |
Component: | unfiled | Version: | git |
Keywords: | Cc: | ||
Blocked by: | Blocking: |
Description
This is a re-filing of #11249 since that got closed. (Sorry about the bug-spam. I'm not sure if mail from closed bugs ends up disappearing.)
jquery uses inline styles in support.js, which trips up the default Content Security Policy rules. This is particularly relevant for Chrome extensions which enable CSP by default, but will also become relevant for the web as more people adopt CSP.
Here are tests demonstrating this on 1.7.2 and git.
View them in Chrome and open the javascript console. These tests might be fragile as jsfiddle ends up sticking the tag in the body, and there's talk of only allowing it in head (so it's less likely to be attacker-injected). But they seem to work for now.
Here is a patch to fix this. I don't have easy access to IE6-8, and I imagine this is a somewhat hairy part of the code. But I believe I haven't regressed the unit tests Firefox, Safari, Chrome, Opera, and IE9.
http://web.mit.edu/davidben/Public/jquery-inline-style.patch
Thanks, we'll handle this in #11249. I appreciate the patch!