Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attributes: Don't stringify attributes in the setter #4949

Merged
merged 1 commit into from
Nov 1, 2021
Merged

Attributes: Don't stringify attributes in the setter #4949

merged 1 commit into from
Nov 1, 2021

Conversation

mgol
Copy link
Member

@mgol mgol commented Oct 7, 2021
edited
Loading

Summary

Stringifying attributes in the setter was needed for IE <=9 but it breaks
trusted types enforcement when setting a script src attribute.

Note that this doesn't mean script execution works. Since jQuery disables all
scripts by changing their type and then executes them by creating fresh script
tags with proper src & possibly other attributes, this unwraps any trusted
src wrappers, making the script not execute under strict CSP settings.
We might try to fix it in the future in a separate change.

Fixes gh-4948

Checklist

@mgol mgol added the Attributes label Oct 7, 2021
@mgol mgol added this to the 4.0.0 milestone Oct 7, 2021
@mgol mgol self-assigned this Oct 7, 2021
@mgol mgol mentioned this pull request Oct 7, 2021
Closed
@mgol mgol added Discuss in Meeting Reserved for Issues and PRs that anyone would like to discuss in the weekly meeting. Needs review labels Oct 7, 2021
@timmywil timmywil removed the Discuss in Meeting Reserved for Issues and PRs that anyone would like to discuss in the weekly meeting. label Oct 25, 2021
@mgol mgol force-pushed the trusted-types-attributes branch from 5965d0b to 8497cd0 Compare October 29, 2021 22:03
@mgol mgol marked this pull request as ready for review October 29, 2021 22:03
@mgol mgol requested a review from timmywil October 29, 2021 22:03
@timmywil
Copy link
Member

There still seems to be an error on travis related to this PR.

@mgol
Attributes: Don't stringify attributes in the setter
2773427 
Stringifying attributes in the setter was needed for IE <=9 but it breaks
trusted types enforcement when setting a script `src` attribute.

Note that this doesn't mean script execution works. Since jQuery disables all
scripts by changing their type and then executes them by creating fresh script
tags with proper `src` & possibly other attributes, this unwraps any trusted
`src` wrappers, making the script not execute under strict CSP settings.
We might try to fix it in the future in a separate change.

Fixes jquerygh-4948
@mgol mgol force-pushed the trusted-types-attributes branch from 8497cd0 to 2773427 Compare October 31, 2021 21:36
@mgol
Copy link
Member Author

mgol commented Nov 1, 2021

@timmywil the issue was not clearing CSP logs after the test which affected other tests looking at those logs. I added the clearing and tests are passing now.

timmywil
timmywil approved these changes Nov 1, 2021
View reviewed changes
Copy link
Member

@timmywil timmywil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@mgol mgol removed the Needs review label Nov 1, 2021
@mgol mgol merged commit 4250b62 into jquery:main Nov 1, 2021
@mgol mgol deleted the trusted-types-attributes branch November 1, 2021 17:10
@mgol mgol mentioned this pull request Nov 1, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timmywil timmywil timmywil approved these changes

Assignees

@mgol mgol

Labels
Attributes
Milestone
4.0.0
Development

Successfully merging this pull request may close these issues.

Attributes: Don't stringify values as it breaks Trusted Types
2 participants
@mgol @timmywil