Fix #14422 and add more thorough check for CSP violations

Close gh-1413
2024-11-23 02:54:22 +00:00 · 2013-10-30 16:20:38 +04:00 · 2013-10-30 16:20:38 +04:00 · 9e3d0f3109
commit 9e3d0f3109
parent ba2a8fb01e
6 changed files with 35 additions and 27 deletions
--- a/src/event/support.js
+++ b/src/event/support.js
@ -6,12 +6,15 @@ define([
 	var i, eventName,
 		div = document.createElement( "div" );

-	// Support: IE<9 (lack submit/change bubble), Firefox 17+ (lack focusin event)
-	// Beware of CSP restrictions (https://developer.mozilla.org/en/Security/CSP)
+	// Support: IE<9 (lack submit/change bubble), Firefox 23+ (lack focusin event)
 	for ( i in { submit: true, change: true, focusin: true }) {
-		div.setAttribute( eventName = "on" + i, "t" );
+		eventName = "on" + i;

-		support[ i + "Bubbles" ] = eventName in window || div.attributes[ eventName ].expando === false;
+		if ( !(support[ i + "Bubbles" ] = eventName in window) ) {
+			// Beware of CSP restrictions (https://developer.mozilla.org/en/Security/CSP)
+			div.setAttribute( eventName, "t" );
+			support[ i + "Bubbles" ] = div.attributes[ eventName ].expando === false;
+		}
 	}

 	// Null elements to avoid leaks in IE.
--- a/test/data/support/csp-clean.php
+++ b/test/data/support/csp-clean.php
@ -0,0 +1,3 @@
+<?php
+	file_put_contents("csp.log", "", LOCK_EX);
+?>
--- a/test/data/support/csp-log.php
+++ b/test/data/support/csp-log.php
@ -0,0 +1,3 @@
+<?php
+	file_put_contents("csp.log", "error", LOCK_EX);
+?>
--- a/test/data/support/csp.log
+++ b/test/data/support/csp.log
--- a/test/data/support/csp.php
+++ b/test/data/support/csp.php
@ -1,12 +1,7 @@
 <?php
-	# Support: Firefox
-	header("X-Content-Security-Policy: default-src 'self';");
-
-	# Support: Webkit, Safari 5
-	# http://stackoverflow.com/questions/13663302/why-does-my-content-security-policy-work-everywhere-but-safari
-	header("X-WebKit-CSP: script-src " . $_SERVER["HTTP_HOST"] . " 'self'");
-
-	header("Content-Security-Policy: default-src 'self'");
+	# This test page checkes CSP only for browsers with "Content-Security-Policy" header support
+	# i.e. no old WebKit or old Firefox
+	header("Content-Security-Policy: default-src 'self'; report-uri csp-log.php");
 ?>
 <!DOCTYPE html>
 <html>
--- a/test/unit/support.js
+++ b/test/unit/support.js
@ -60,6 +60,24 @@ testIframeWithCallback( "box-sizing does not affect jQuery.support.shrinkWrapBlo
 	strictEqual( shrinkWrapBlocks, computedSupport.shrinkWrapBlocks, "jQuery.support.shrinkWrapBlocks properties are the same" );
 });

+
+// This test checkes CSP only for browsers with "Content-Security-Policy" header support
+// i.e. no old WebKit or old Firefox
+testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Security/CSP) restrictions",
+	"support/csp.php",
+	function( support ) {
+		expect( 2 );
+		deepEqual( jQuery.extend( {}, support ), computedSupport, "No violations of CSP polices" );
+
+		stop();
+
+		supportjQuery.get( "data/support/csp.log" ).done(function( data ) {
+			equal( data, "", "No log request should be sent" );
+			supportjQuery.get( "data/support/csp-clean.php" ).done( start );
+		});
+	}
+);
+
 (function() {
 	var expected, version,
 		userAgent = window.navigator.userAgent;
@ -462,17 +480,3 @@ testIframeWithCallback( "box-sizing does not affect jQuery.support.shrinkWrapBlo
 	}

 })();
-
-// Support: Safari 5.1
-// Shameless browser-sniff, but Safari 5.1 mishandles CSP
-if ( !( typeof navigator !== "undefined" &&
-	(/ AppleWebKit\/\d.*? Version\/(\d+)/.exec(navigator.userAgent) || [])[1] < 6 ) ) {
-
-	testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Security/CSP) restrictions",
-		"support/csp.php",
-		function( support ) {
-			expect( 1 );
-			deepEqual( jQuery.extend( {}, support ), computedSupport, "No violations of CSP polices" );
-		}
-	);
-}