#7371 closed bug (fixed)
Delay Execution of Eval Test
Reported by: | john | Owned by: | john |
---|---|---|---|
Priority: | blocker | Milestone: | 1.5 |
Component: | support | Version: | 1.4.4 |
Keywords: | Cc: | ||
Blocked by: | Blocking: | #8200 |
Description
So that we don't throw errors due to CSP we should delay the script execution test in support.js until later. This will cause a regression (as the property won't exist until the test is run) thus we should land this in a major release.
More details about CSP: https://wiki.mozilla.org/Security/CSP
Change History (12)
comment:1 Changed 12 years ago by
Owner: | set to john |
---|---|
Status: | new → assigned |
comment:2 Changed 12 years ago by
Component: | unfiled → support |
---|---|
Priority: | undecided → high |
comment:3 Changed 12 years ago by
comment:5 Changed 12 years ago by
I cancelled the previous pull request and created a new patch that leaves the bulk of the changes in support.js.
comment:7 Changed 12 years ago by
Priority: | high → blocker |
---|---|
Version: | 1.4.3 → 1.4.4 |
comment:8 Changed 12 years ago by
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Defer scriptEval test until first use to prevent Content Security Policy inline-script violations from occuring. Fixes #7371.
Changeset: 220a0ce1628d376ec14394c9b0be3c10f92a4cdb
comment:9 Changed 12 years ago by
Blocking: | 8200 added |
---|
(In #8200) Applying this patch will contradict this commit: http://bugs.jquery.com/ticket/7371 (which was a blocker)
https://github.com/jquery/jquery/blob/220a0ce1628d376ec14394c9b0be3c10f92a4cdb/src/support.js
comment:10 Changed 12 years ago by
Keywords: | needsdocs added |
---|
comment:11 Changed 12 years ago by
For those interested. Test case is here https://github.com/jquery/jquery/commit/9c763ad39d42c54d
comment:12 Changed 10 years ago by
Keywords: | needsdocs removed |
---|
Since the code now only runs this for IE 6-8 and those don't support CSP, it's safe to leave as-is.
Even though this won't be released until 1.5 it would be great to have a patch as soon as possible as sites are starting to implement CSP and I'd love to be let them patch themselves pre-release.