X-Git-Url: http://git.asbjorn.biz/?a=blobdiff_plain;f=src%2Fsupport.js;h=7be28fdaf43d9f124788a36c7fc1bbd2b8474cc9;hb=d343bfe528cbb8b08c3beb94cb33d1c444932f06;hp=f502811ae8d8b78d0424caa4c1e1aca24e396540;hpb=220a0ce1628d376ec14394c9b0be3c10f92a4cdb;p=jquery.git

diff --git a/src/support.js b/src/support.js
index f502811..7be28fd 100644
--- a/src/support.js
+++ b/src/support.js
@@ -75,7 +75,7 @@
 	jQuery.support.optDisabled = !opt.disabled;
 
 	jQuery.support.scriptEval = function() {
-		if ( jQuery.support._scriptEval === null) {
+		if ( jQuery.support._scriptEval === null ) {
 			var root = document.documentElement,
 				script = document.createElement("script"),
 				id = "script" + jQuery.now();
@@ -101,6 +101,7 @@
 			// release memory in IE
 			root = script = id  = null;
 		}
+
 		return jQuery.support._scriptEval;
 	};
 
@@ -187,6 +188,14 @@
 		var el = document.createElement("div");
 		eventName = "on" + eventName;
 
+		// We only care about the case where non-standard event systems
+		// are used, namely in IE. Short-circuiting here helps us to
+		// avoid an eval call (in setAttribute) which can cause CSP
+		// to go haywire. See: https://developer.mozilla.org/en/Security/CSP
+		if ( !el.attachEvent ) {
+			return true;
+		}
+
 		var isSupported = (eventName in el);
 		if ( !isSupported ) {
 			el.setAttribute(eventName, "return;");