Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Core: Preserve CSP nonce on scripts with src attribute (#4323) #4328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 25, 2019
Merged

Core: Preserve CSP nonce on scripts with src attribute (#4323) #4328

merged 1 commit into from
Mar 25, 2019

Conversation

buddh4
Copy link
Contributor

@buddh4 buddh4 commented Mar 19, 2019

Summary

Fixes #4323

Checklist

mgol
mgol reviewed Mar 20, 2019
View reviewed changes
Copy link
Member

@mgol mgol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had a few simple remarks, I've just pushed fixes for them to your branch.

This is really good! Usually we have to guide contributors to our process and you figured out most of it by yourself. :)

This currently adds 30 bytes to the minified gzipped size. I'll see if we can limit that somehow.

@mgol
Copy link
Member

mgol commented Mar 20, 2019

I pushed another update, it's at +20 bytes now.

@buddh4 For the future's sake, it's a good idea to keep master synced with upstream and commit all your changes to a new branch. It's easier to keep track of your vs upstream changes this way.

@mgol mgol mentioned this pull request Mar 20, 2019
Closed
@mgol mgol added this to the 3.4.0 milestone Mar 20, 2019
mgol
mgol reviewed Mar 20, 2019
View reviewed changes
src/manipulation.js
@@ -199,7 +199,9 @@ function domManip( collection, args, callback, ignored ) {

// Optional AJAX dependency, but won't run scripts if not present
if ( jQuery._evalUrl && !node.noModule ) {
jQuery._evalUrl( node.src );
jQuery._evalUrl( node.src, {
nonce: node.nonce || node.getAttribute( "nonce" )
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hoped this would be compressable with the other similar logic in DOMEval.js but there we iterate over more properties so it cannot be generalized so easily.

We'll be able to simplify it when Firefox & Safari implement the nonce property.

Copy link
Member

@mgol mgol Mar 20, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @gibson042 for compressibility efforts

timmywil
timmywil approved these changes Mar 25, 2019
View reviewed changes
Copy link
Member

@timmywil timmywil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mgol mgol removed the Needs review label Mar 25, 2019
@mgol mgol merged commit 0050403 into jquery:master Mar 25, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Sep 21, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@timmywil timmywil timmywil approved these changes

@mgol mgol mgol approved these changes

Assignees
No one assigned
Labels
Manipulation
Milestone
3.4.0
Development

Successfully merging this pull request may close these issues.

Preserve CSP nonce on scripts with src attribute in DOM manipulation.
3 participants
@buddh4 @mgol @timmywil