From 9e3d0f3109756ec8b6166ff60f0d495b8f1d6aca Mon Sep 17 00:00:00 2001 From: Oleg Date: Wed, 30 Oct 2013 16:20:38 +0400 Subject: [PATCH] Fix #14422 and add more thorough check for CSP violations Close gh-1413 --- src/event/support.js | 13 ++++++++----- test/data/support/csp-clean.php | 3 +++ test/data/support/csp-log.php | 3 +++ test/data/support/csp.log | 0 test/data/support/csp.php | 11 +++-------- test/unit/support.js | 32 ++++++++++++++++++-------------- 6 files changed, 35 insertions(+), 27 deletions(-) create mode 100644 test/data/support/csp-clean.php create mode 100644 test/data/support/csp-log.php create mode 100755 test/data/support/csp.log diff --git a/src/event/support.js b/src/event/support.js index 1912b8430..d2a092250 100644 --- a/src/event/support.js +++ b/src/event/support.js @@ -4,14 +4,17 @@ define([ (function () { var i, eventName, - div = document.createElement("div" ); + div = document.createElement( "div" ); - // Support: IE<9 (lack submit/change bubble), Firefox 17+ (lack focusin event) - // Beware of CSP restrictions (https://developer.mozilla.org/en/Security/CSP) + // Support: IE<9 (lack submit/change bubble), Firefox 23+ (lack focusin event) for ( i in { submit: true, change: true, focusin: true }) { - div.setAttribute( eventName = "on" + i, "t" ); + eventName = "on" + i; - support[ i + "Bubbles" ] = eventName in window || div.attributes[ eventName ].expando === false; + if ( !(support[ i + "Bubbles" ] = eventName in window) ) { + // Beware of CSP restrictions (https://developer.mozilla.org/en/Security/CSP) + div.setAttribute( eventName, "t" ); + support[ i + "Bubbles" ] = div.attributes[ eventName ].expando === false; + } } // Null elements to avoid leaks in IE. diff --git a/test/data/support/csp-clean.php b/test/data/support/csp-clean.php new file mode 100644 index 000000000..e16d047a3 --- /dev/null +++ b/test/data/support/csp-clean.php @@ -0,0 +1,3 @@ + diff --git a/test/data/support/csp-log.php b/test/data/support/csp-log.php new file mode 100644 index 000000000..efbb9d7bc --- /dev/null +++ b/test/data/support/csp-log.php @@ -0,0 +1,3 @@ + diff --git a/test/data/support/csp.log b/test/data/support/csp.log new file mode 100755 index 000000000..e69de29bb diff --git a/test/data/support/csp.php b/test/data/support/csp.php index b21ce0f74..d01def783 100644 --- a/test/data/support/csp.php +++ b/test/data/support/csp.php @@ -1,12 +1,7 @@ diff --git a/test/unit/support.js b/test/unit/support.js index a37f2c022..b87299d53 100644 --- a/test/unit/support.js +++ b/test/unit/support.js @@ -60,6 +60,24 @@ testIframeWithCallback( "box-sizing does not affect jQuery.support.shrinkWrapBlo strictEqual( shrinkWrapBlocks, computedSupport.shrinkWrapBlocks, "jQuery.support.shrinkWrapBlocks properties are the same" ); }); + +// This test checkes CSP only for browsers with "Content-Security-Policy" header support +// i.e. no old WebKit or old Firefox +testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Security/CSP) restrictions", + "support/csp.php", + function( support ) { + expect( 2 ); + deepEqual( jQuery.extend( {}, support ), computedSupport, "No violations of CSP polices" ); + + stop(); + + supportjQuery.get( "data/support/csp.log" ).done(function( data ) { + equal( data, "", "No log request should be sent" ); + supportjQuery.get( "data/support/csp-clean.php" ).done( start ); + }); + } +); + (function() { var expected, version, userAgent = window.navigator.userAgent; @@ -462,17 +480,3 @@ testIframeWithCallback( "box-sizing does not affect jQuery.support.shrinkWrapBlo } })(); - -// Support: Safari 5.1 -// Shameless browser-sniff, but Safari 5.1 mishandles CSP -if ( !( typeof navigator !== "undefined" && - (/ AppleWebKit\/\d.*? Version\/(\d+)/.exec(navigator.userAgent) || [])[1] < 6 ) ) { - - testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Security/CSP) restrictions", - "support/csp.php", - function( support ) { - expect( 1 ); - deepEqual( jQuery.extend( {}, support ), computedSupport, "No violations of CSP polices" ); - } - ); -}