Bug Tracker

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#12037 closed bug (duplicate)

jQuery triggers default CSP inline style blocking

Reported by: davidben Owned by:
Priority: undecided Milestone: None
Component: unfiled Version: git
Keywords: Cc:
Blocked by: Blocking:

Description

This is a re-filing of #11249 since that got closed. (Sorry about the bug-spam. I'm not sure if mail from closed bugs ends up disappearing.)

jquery uses inline styles in support.js, which trips up the default Content Security Policy rules. This is particularly relevant for Chrome extensions which enable CSP by default, but will also become relevant for the web as more people adopt CSP.

Here are tests demonstrating this on 1.7.2 and git.

http://jsfiddle.net/fYbtb/ http://jsfiddle.net/fYbtb/1/

View them in Chrome and open the javascript console. These tests might be fragile as jsfiddle ends up sticking the tag in the body, and there's talk of only allowing it in head (so it's less likely to be attacker-injected). But they seem to work for now.

Here is a patch to fix this. I don't have easy access to IE6-8, and I imagine this is a somewhat hairy part of the code. But I believe I haven't regressed the unit tests Firefox, Safari, Chrome, Opera, and IE9.

http://web.mit.edu/davidben/Public/jquery-inline-style.patch

Change History (2)

comment:1 Changed 7 years ago by dmethvin

Resolution: duplicate
Status: newclosed

Thanks, we'll handle this in #11249. I appreciate the patch!

comment:2 Changed 7 years ago by dmethvin

Duplicate of #11249.

Note: See TracTickets for help on using tickets.