Bug Tracker

Opened 9 years ago

Closed 9 years ago

Last modified 7 years ago

#7371 closed bug (fixed)

Delay Execution of Eval Test

Reported by: john Owned by: john
Priority: blocker Milestone: 1.5
Component: support Version: 1.4.4
Keywords: Cc:
Blocked by: Blocking: #8200

Description

So that we don't throw errors due to CSP we should delay the script execution test in support.js until later. This will cause a regression (as the property won't exist until the test is run) thus we should land this in a major release.

More details about CSP: https://wiki.mozilla.org/Security/CSP

Change History (12)

comment:1 Changed 9 years ago by john

Owner: set to john
Status: newassigned

comment:2 Changed 9 years ago by john

Component: unfiledsupport
Priority: undecidedhigh

comment:3 Changed 9 years ago by bsterne

Even though this won't be released until 1.5 it would be great to have a patch as soon as possible as sites are starting to implement CSP and I'd love to be let them patch themselves pre-release.

comment:4 Changed 9 years ago by Brandon Sterne <bsterne@…>

I posted a patch over here and created a pull request.

comment:5 Changed 9 years ago by Brandon Sterne <brandon.sterne@…>

I cancelled the previous pull request and created a new patch that leaves the bulk of the changes in support.js.

comment:6 Changed 9 years ago by snover

3rd party pull request

comment:7 Changed 9 years ago by john

Priority: highblocker
Version: 1.4.31.4.4

comment:8 Changed 9 years ago by Brandon Sterne

Resolution: fixed
Status: assignedclosed

Defer scriptEval test until first use to prevent Content Security Policy inline-script violations from occuring. Fixes #7371.

Changeset: 220a0ce1628d376ec14394c9b0be3c10f92a4cdb

comment:9 Changed 9 years ago by Rick Waldron

Blocking: 8200 added

comment:10 Changed 9 years ago by jitter

Keywords: needsdocs added

comment:11 Changed 9 years ago by jitter

For those interested. Test case is here https://github.com/jquery/jquery/commit/9c763ad39d42c54d

comment:12 Changed 7 years ago by dmethvin

Keywords: needsdocs removed

Since the code now only runs this for IE 6-8 and those don't support CSP, it's safe to leave as-is.

Note: See TracTickets for help on using tickets.