From c7c2855ed13f23322c4064407c1ed84561b95738 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Micha=C5=82=20Go=C5=82=C4=99biowski-Owczarek?=
 <m.goleb@gmail.com>
Date: Mon, 14 Jan 2019 19:29:54 +0100
Subject: [PATCH] Core: Preserve CSP nonce on scripts in DOM manipulation

Fixes gh-3541
Closes gh-4269
---
 src/core/DOMEval.js           | 10 ++++++++++
 test/data/csp-nonce.html      | 13 +++++++++++++
 test/data/csp-nonce.js        |  8 ++++++++
 test/data/mock.php            |  8 ++++++++
 test/jquery.js                |  2 +-
 test/middleware-mockserver.js |  8 ++++++++
 test/unit/manipulation.js     | 20 ++++++++++++++++++++
 7 files changed, 68 insertions(+), 1 deletion(-)
 create mode 100644 test/data/csp-nonce.html
 create mode 100644 test/data/csp-nonce.js

diff --git a/src/core/DOMEval.js b/src/core/DOMEval.js
index 199ec951..8d2d0023 100644
--- a/src/core/DOMEval.js
+++ b/src/core/DOMEval.js
@@ -6,6 +6,7 @@ define( [
 	var preservedScriptAttributes = {
 		type: true,
 		src: true,
+		nonce: true,
 		noModule: true
 	};
 
@@ -20,6 +21,15 @@ define( [
 			for ( i in preservedScriptAttributes ) {
 				if ( node[ i ] ) {
 					script[ i ] = node[ i ];
+				} else if ( node.getAttribute( i ) ) {
+
+					// Support: Firefox 64+, Edge 18+
+					// Some browsers don't support the "nonce" property on scripts.
+					// On the other hand, just using `setAttribute` & `getAttribute`
+					// is not enough as `nonce` is no longer exposed as an attribute
+					// in the latest standard.
+					// See https://github.com/whatwg/html/issues/2369
+					script.setAttribute( i, node.getAttribute( i ) );
 				}
 			}
 		}
diff --git a/test/data/csp-nonce.html b/test/data/csp-nonce.html
new file mode 100644
index 00000000..d35c33fc
--- /dev/null
+++ b/test/data/csp-nonce.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+	<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+	<title>CSP nonce Test Page</title>
+	<script nonce="jquery+hardcoded+nonce" src="../jquery.js"></script>
+	<script nonce="jquery+hardcoded+nonce" src="iframeTest.js"></script>
+	<script nonce="jquery+hardcoded+nonce" src="csp-nonce.js"></script>
+</head>
+<body>
+	<p>CSP nonce Test Page</p>
+</body>
+</html>
diff --git a/test/data/csp-nonce.js b/test/data/csp-nonce.js
new file mode 100644
index 00000000..507e87e6
--- /dev/null
+++ b/test/data/csp-nonce.js
@@ -0,0 +1,8 @@
+/* global startIframeTest */
+
+jQuery( function() {
+	var script = document.createElement( "script" );
+	script.setAttribute( "nonce", "jquery+hardcoded+nonce" );
+	script.innerHTML = "startIframeTest()";
+	$( document.head ).append( script );
+} );
diff --git a/test/data/mock.php b/test/data/mock.php
index 79110dc4..7e6aa1be 100644
--- a/test/data/mock.php
+++ b/test/data/mock.php
@@ -198,6 +198,14 @@ ok( true, "mock executed");';
 		echo file_get_contents( __DIR__ . '/csp.include.html' );
 	}
 
+	protected function cspNonce( $req ) {
+		// This is CSP only for browsers with "Content-Security-Policy" header support
+		// i.e. no old WebKit or old Firefox
+		header( "Content-Security-Policy: script-src 'nonce-jquery+hardcoded+nonce'; report-uri ./mock.php?action=cspLog" );
+		header( 'Content-type: text/html' );
+		echo file_get_contents( __DIR__ . '/csp-nonce.html' );
+	}
+
 	protected function cspLog( $req ) {
 		file_put_contents( $this->cspFile, 'error' );
 	}
diff --git a/test/jquery.js b/test/jquery.js
index 8ba139e6..6b1aef42 100644
--- a/test/jquery.js
+++ b/test/jquery.js
@@ -54,7 +54,7 @@
 
 	// Otherwise, load synchronously
 	} else {
-		document.write( "<script id='jquery-js' src='" + parentUrl + src + "'><\x2Fscript>" );
+		document.write( "<script id='jquery-js' nonce='jquery+hardcoded+nonce' src='" + parentUrl + src + "'><\x2Fscript>" );
 	}
 
 } )();
diff --git a/test/middleware-mockserver.js b/test/middleware-mockserver.js
index 09371bbe..feed2814 100644
--- a/test/middleware-mockserver.js
+++ b/test/middleware-mockserver.js
@@ -207,6 +207,14 @@ var mocks = {
 		var body = fs.readFileSync( __dirname + "/data/csp.include.html" ).toString();
 		resp.end( body );
 	},
+	cspNonce: function( req, resp ) {
+		resp.writeHead( 200, {
+			"Content-Type": "text/html",
+			"Content-Security-Policy": "script-src 'nonce-jquery+hardcoded+nonce'; report-uri /base/test/data/mock.php?action=cspLog"
+		} );
+		var body = fs.readFileSync( __dirname + "/data/csp-nonce.html" ).toString();
+		resp.end( body );
+	},
 	cspLog: function( req, resp ) {
 		cspLog = "error";
 		resp.writeHead( 200 );
diff --git a/test/unit/manipulation.js b/test/unit/manipulation.js
index 300add5e..c8d5cdef 100644
--- a/test/unit/manipulation.js
+++ b/test/unit/manipulation.js
@@ -2835,3 +2835,23 @@ QUnit.test( "Ignore content from unsuccessful responses (gh-4126)", 1, function(
 		jQuery.globalEval = globalEval;
 	}
 } );
+
+testIframe(
+	"Check if CSP nonce is preserved",
+	"mock.php?action=cspNonce",
+	function( assert, jQuery, window, document ) {
+		var done = assert.async();
+
+		assert.expect( 1 );
+
+		supportjQuery.get( baseURL + "support/csp.log" ).done( function( data ) {
+			assert.equal( data, "", "No log request should be sent" );
+			supportjQuery.get( baseURL + "mock.php?action=cspClean" ).done( done );
+		} );
+	},
+
+	// Support: Edge 18+
+	// Edge doesn't support nonce in non-inline scripts.
+	// See https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/13246371/
+	QUnit[ /\bedge\//i.test( navigator.userAgent ) ? "skip" : "test" ]
+);
-- 
2.11.4.GIT