You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is a followup to gh-4948. In gh-4949, we stopped stringifying attributes which makes setting the src attribute on a script tag work under trusted types TrustedScriptURL enforcement via Content Security Policy. However, such scripts are still blocked. This is because in domManip scripts are not inserted directly but instead first disabled and then their src attributes are read and inserted in fresh scripts.
There's probably not much we can do when the scripts are deep inside of the inserted HTML string - natively scripts would not fire then but jQuery does execute them which will not work here. However, we could at least make .append(scriptElem) work by forking the code path and treating such top-level scripts independently.
Description
This is a followup to gh-4948. In gh-4949, we stopped stringifying attributes which makes setting the
src
attribute on ascript
tag work under trusted types TrustedScriptURL enforcement via Content Security Policy. However, such scripts are still blocked. This is because indomManip
scripts are not inserted directly but instead first disabled and then theirsrc
attributes are read and inserted in fresh scripts.There's probably not much we can do when the scripts are deep inside of the inserted HTML string - natively scripts would not fire then but jQuery does execute them which will not work here. However, we could at least make
.append(scriptElem)
work by forking the code path and treating such top-level scripts independently.Link to test case
This test is failing:
https://github.com/mgol/jquery/blob/2ba71fa76c09fad476669a320294edeca6b5513c/test/data/trusted-types-attributes.html#L27-L31
For posterity, JS source, more or less:
The expectation is the
trusted-types-attributes.js
script is executed but currently it is not if the header:is set.
The text was updated successfully, but these errors were encountered: