CSP error in Chrome 18 when loading jQuery 1.7.1

[adblockforchrome]

jQuery version 1.7.1 Chrome version 18.0.1003.1

Repro:

1. Load in Chrome the extension that is attached to this post (unzip the .zip then drag the .crx onto Chrome).
2. Open the Web Inspector Console on the page that appears.

Expected results: No errors. The page does nothing but load jQuery.

Actual results: 5 "Refused to apply inline style because of Content-Security-Policy." errors.

​Test case

---

You can unzip the attachment and drag the .crx onto Chrome to install it. Here is the contents of the extension. The important part is that manifest.json enables CSP, and page.html includes jQuery.

manifest.json:

{
  "name": "jQuery CSP fail",
  "version": "1",
  "permissions": [ "http://*/*", "https://*/*" ],
  "content_security_policy": "default-src 'self'",
  "background_page": "background.html"
}

background.html:

<script src="background.js"></script>

background.js:

chrome.tabs.create({url:"page.html"});

page.html:

<!DOCTYPE html>
<html>
  <head><script src="jquery.min.js"></script></head>
  <body>
    Open the Web Inspector console to see the jQuery errors.
  </body>
</html>

jquery.min.js:

The minified jQuery 1.7.1 code.

[sindresorhus]

Some reading material here: ​http://code.google.com/chrome/extensions/trunk/contentSecurityPolicy.html

[dmethvin]

Chrome 18 is not released, right? Does it work in Chrome 16? If so it sounds like this should be reported to the Chrome bug tracker.

[davidhong]

Maybe refer to this: ​http://code.google.com/p/chromium/issues/detail?id=105796

[trac-o-bot]

Because we get so many tickets, we often need to return them to the initial reporter for more information. If that person does not reply within 14 days, the ticket will automatically be closed, and that has happened in this case. If you still are interested in pursuing this issue, feel free to add a comment with the requested information and we will be happy to reopen the ticket if it is still valid. Thanks!

[Rick Waldron]

#11487 is a duplicate of this ticket.

[Rick Waldron]

Reopening for review

[Jon Oberheide]

CSP incompatibility (either through inline js or inline style setting) will definitely become more of an issue for JS libs like jQuery as CSP adoption increases.

[trhaynes]

Is there a reason why jQuery applies inline styles for effects instead of modifying the DOM directly (element.style.foo = bar). The former will raise these "Refused to apply inline style" errors while the latter will not.

[Rick Waldron]

We need confirmation that this is still an issue.

[trac-o-bot]

Because we get so many tickets, we often need to return them to the initial reporter for more information. If that person does not reply within 14 days, the ticket will automatically be closed, and that has happened in this case. If you still are interested in pursuing this issue, feel free to add a comment with the requested information and we will be happy to reopen the ticket if it is still valid. Thanks!

[davidben]

This ticket is still valid. jQuery uses inline styles in a number of places which trips up the default Content-Security-Policy. (Inline style is forbidden to prevent attacker-injected styles from rearranging UI and potentially causing a clickjacking attack and more complex attacks like using attribute selectors to sniff the contents of a form field.)

I can't seem to attach files, but here's a patch that fixes it. I don't have easy access to IE6-8, and this is in I imagine a somewhat hairy part of the code. But I believe I haven't regressed the unit tests Firefox, Safari, Chrome, Opera, and IE9.

​http://web.mit.edu/davidben/Public/jquery-inline-style.patch

[anthonyryan1@…]

This bug valid. What is the process for having this re-opened?

[dmethvin]

#12037 is a duplicate of this ticket.

[dmethvin]

​https://github.com/jquery/jquery/commit/dc83072878ed9636c8158a014bd9fa4acc1ccce3