0

jQuery 3.7.0. has a line of code that violates CSP policies for inline scripting that has been persisting since version 3.1.1, seeing as it is clearly not getting fixed anytime soon I was wondering if there is a way to slap a band-aid on it for now so I can use jQuery. The code is as follows:

function DOMEval( code, node, doc ) {
    doc = doc || document;

    var i, val,
        script = doc.createElement( "script" );

    script.text = code;
    if ( node ) {
        for ( i in preservedScriptAttributes ) {

            // Support: Firefox 64+, Edge 18+
            // Some browsers don't support the "nonce" property on scripts.
            // On the other hand, just using `getAttribute` is not enough as
            // the `nonce` attribute is reset to an empty string whenever it
            // becomes browsing-context connected.
            // See https://github.com/whatwg/html/issues/2369
            // See https://html.spec.whatwg.org/#nonce-attributes
            // The `node.getAttribute` check was added for the sake of
            // `jQuery.globalEval` so that it can fake a nonce-containing node
            // via an object.
            val = node[ i ] || node.getAttribute && node.getAttribute( i );
            if ( val ) {
                script.setAttribute( i, val );
            }
        }
    }
    doc.head.appendChild( script ).parentNode.removeChild( script ); //This line gives ERROR
}

The culprit is the last line here, I am not knowledgeable enough to know what it is supposed to be doing but CSP is disallowing jQuery based on that inline scripting. Can I substitute it for something else / do I need this function for basic jQuery functionality to work? I just need jQuery for very basic stuff on my site.My HTML and the https ERROR:

<html lang="en">
    <head>
    <script src="jquery.js"></script>
    <meta http-equiv="Content-Security-Policy" content="script-src 'self'">
    </head>
</html>

Content-Security-Policy: The page's settings blocked the loading of a resource at inline ("script-src").

I have scoured the internet for fixes on both StackOverflow and the jQuery github, but both are riddled with non-answers and promises to fix it at some point. Enabling the 'unsafe-inline' tag is not a solution to a problem like this, it just disables everything you use CSP for in the first place, yet that is the only solution I've come across.

JSG
  • 1
  • 1
  • Have you had a look at [this](https://stackoverflow.com/a/37308542/1533592) answer? – dale landry Aug 13 '23 at 14:12
  • 1
    If you only use jQuery for very basic stuff, consider [You might not need jQuery](https://youmightnotneedjquery.com/) – jabaa Aug 13 '23 at 14:12
  • @dalelandry I have taken a look at it but it does not apply to me as I load from the 'self' source already (I host the file myself in the directory) and not from an external source that requires me to change the source types. The issue lies directly in the inline-scripting violation which is violated regardless of source type. – JSG Aug 13 '23 at 14:34
  • Thanks @jabaa i'll take a look at it, though it's a pain that such a basic library is not adhering to basic content-security-policy, a fix for it would still be the better solution for me. But for the time being this might be a good band-aid. – JSG Aug 13 '23 at 14:37
  • I didn't even know that loading libraries in `script` is still a thing in 2023. I would assume that you use a bundler like We pack or Vite. – jabaa Aug 13 '23 at 14:43

0 Answers0