Skip to main content

Bug Tracker

Side navigation

#12037 closed bug (duplicate)

Opened July 07, 2012 10:11AM UTC

Closed July 07, 2012 08:48PM UTC

Last modified July 07, 2012 08:48PM UTC

jQuery triggers default CSP inline style blocking

Reported by: davidben Owned by:
Priority: undecided Milestone: None
Component: unfiled Version: git
Keywords: Cc:
Blocked by: Blocking:
Description

This is a re-filing of #11249 since that got closed. (Sorry about the bug-spam. I'm not sure if mail from closed bugs ends up disappearing.)

jquery uses inline styles in support.js, which trips up the default Content Security Policy rules. This is particularly relevant for Chrome extensions which enable CSP by default, but will also become relevant for the web as more people adopt CSP.

Here are tests demonstrating this on 1.7.2 and git.

http://jsfiddle.net/fYbtb/

http://jsfiddle.net/fYbtb/1/

View them in Chrome and open the javascript console. These tests might be fragile as jsfiddle ends up sticking the tag in the body, and there's talk of only allowing it in head (so it's less likely to be attacker-injected). But they seem to work for now.

Here is a patch to fix this. I don't have easy access to IE6-8, and I imagine this is a somewhat hairy part of the code. But I believe I haven't regressed the unit tests Firefox, Safari, Chrome, Opera, and IE9.

http://web.mit.edu/davidben/Public/jquery-inline-style.patch

Attachments (0)
Change History (2)

Changed July 07, 2012 08:48PM UTC by dmethvin comment:1

resolution: → duplicate
status: newclosed

Thanks, we'll handle this in #11249. I appreciate the patch!

Changed July 07, 2012 08:48PM UTC by dmethvin comment:2

Duplicate of #11249.