git.asbjorn.biz / jquery.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add another tweak for handling CSP - we need to make sure that we don't trigger any...
[jquery.git] / src / support.js
diff --git a/src/support.js b/src/support.js
index f502811..7be28fd 100644 (file)
--- a/src/support.js
+++ b/src/support.js
@@ -75,7 +75,7 @@
        jQuery.support.optDisabled = !opt.disabled;
 
        jQuery.support.scriptEval = function() {
-               if ( jQuery.support._scriptEval === null) {
+               if ( jQuery.support._scriptEval === null ) {
                        var root = document.documentElement,
                                script = document.createElement("script"),
                                id = "script" + jQuery.now();
@@ -101,6 +101,7 @@
                        // release memory in IE
                        root = script = id  = null;
                }
+
                return jQuery.support._scriptEval;
        };
 
@@ -187,6 +188,14 @@
                var el = document.createElement("div");
                eventName = "on" + eventName;
 
+               // We only care about the case where non-standard event systems
+               // are used, namely in IE. Short-circuiting here helps us to
+               // avoid an eval call (in setAttribute) which can cause CSP
+               // to go haywire. See: https://developer.mozilla.org/en/Security/CSP
+               if ( !el.attachEvent ) {
+                       return true;
+               }
+
                var isSupported = (eventName in el);
                if ( !isSupported ) {
                        el.setAttribute(eventName, "return;");
JQuery