Reputation: 31
How can I fix jQuery 3.7.0 inline script violation with CSP
jQuery 3.7.0. has a line of code that violates CSP policies for inline scripting that has been persisting since version 3.1.1, seeing as it is clearly not getting fixed anytime soon I was wondering if there is a way to slap a band-aid on it for now so I can use jQuery. The code is as follows:
function DOMEval( code, node, doc ) {
doc = doc || document;
var i, val,
script = doc.createElement( "script" );
script.text = code;
if ( node ) {
for ( i in preservedScriptAttributes ) {
// Support: Firefox 64+, Edge 18+
// Some browsers don't support the "nonce" property on scripts.
// On the other hand, just using `getAttribute` is not enough as
// the `nonce` attribute is reset to an empty string whenever it
// becomes browsing-context connected.
// See https://github.com/whatwg/html/issues/2369
// See https://html.spec.whatwg.org/#nonce-attributes
// The `node.getAttribute` check was added for the sake of
// `jQuery.globalEval` so that it can fake a nonce-containing node
// via an object.
val = node[ i ] || node.getAttribute && node.getAttribute( i );
if ( val ) {
script.setAttribute( i, val );
}
}
}
doc.head.appendChild( script ).parentNode.removeChild( script ); //This line gives ERROR
}
The culprit is the last line here, I am not knowledgeable enough to know what it is supposed to be doing but CSP is disallowing jQuery based on that inline scripting. Can I substitute it for something else / do I need this function for basic jQuery functionality to work? I just need jQuery for very basic stuff on my site.My HTML and the https ERROR:
<html lang="en">
<head>
<script src="jquery.js"></script>
<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
</head>
</html>
Content-Security-Policy: The page's settings blocked the loading of a resource at inline ("script-src").
I have scoured the internet for fixes on both StackOverflow and the jQuery github, but both are riddled with non-answers and promises to fix it at some point. Enabling the 'unsafe-inline' tag is not a solution to a problem like this, it just disables everything you use CSP for in the first place, yet that is the only solution I've come across.
Upvotes: 3
Views: 1978
Answers (0)
Related Questions
- How can I select an element by name with jQuery?
- How can I write 'a:hover' in inline CSS?
- How can I change an element's class with JavaScript?
- Content Security Policy "data" not working for base64 Images in Chrome 28
- How can I select an element with multiple classes in jQuery?
- How does Content Security Policy (CSP) work?
- How can I upload files asynchronously with jQuery?
- How can I know which radio button is selected via jQuery?
- How can I get the ID of an element using jQuery?
- jQuery 3.1.1 violation of CSP directive