#7371 closed bug (fixed)
Delay Execution of Eval Test
| Reported by: | john | Owned by: | john |
|---|---|---|---|
| Priority: | blocker | Milestone: | 1.5 |
| Component: | support | Version: | 1.4.4 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: | #8200 |
Description
So that we don't throw errors due to CSP we should delay the script execution test in support.js until later. This will cause a regression (as the property won't exist until the test is run) thus we should land this in a major release.
More details about CSP: https://wiki.mozilla.org/Security/CSP
Change History (12)
comment:1 Changed 8 years ago by
| Owner: | set to john |
|---|---|
| Status: | new → assigned |
comment:2 Changed 8 years ago by
| Component: | unfiled → support |
|---|---|
| Priority: | undecided → high |
comment:3 Changed 8 years ago by
comment:5 Changed 8 years ago by
I cancelled the previous pull request and created a new patch that leaves the bulk of the changes in support.js.
comment:7 Changed 8 years ago by
| Priority: | high → blocker |
|---|---|
| Version: | 1.4.3 → 1.4.4 |
comment:8 Changed 8 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Defer scriptEval test until first use to prevent Content Security Policy inline-script violations from occuring. Fixes #7371.
Changeset: 220a0ce1628d376ec14394c9b0be3c10f92a4cdb
comment:9 Changed 8 years ago by
| Blocking: | 8200 added |
|---|
(In #8200) Applying this patch will contradict this commit: http://bugs.jquery.com/ticket/7371 (which was a blocker)
https://github.com/jquery/jquery/blob/220a0ce1628d376ec14394c9b0be3c10f92a4cdb/src/support.js
comment:10 Changed 8 years ago by
| Keywords: | needsdocs added |
|---|
comment:11 Changed 8 years ago by
For those interested. Test case is here https://github.com/jquery/jquery/commit/9c763ad39d42c54d
comment:12 Changed 7 years ago by
| Keywords: | needsdocs removed |
|---|
Since the code now only runs this for IE 6-8 and those don't support CSP, it's safe to leave as-is.
Even though this won't be released until 1.5 it would be great to have a patch as soon as possible as sites are starting to implement CSP and I'd love to be let them patch themselves pre-release.