Defer scriptEval test until first use to prevent Content Security Policy inline-script violations from occuring. Fixes #7371.

Author: Brandon Sterne

src/core.js

@@ -578,6 +578,35 @@ jQuery.extend({
 
 			script.type = "text/javascript";
 
+			// Delay the scriptEval test until the first time we want to call it
+			// to prevent CSP inline-script violations (See #7371)
+			if ( jQuery.support.scriptEval == null ) {
+				var root = document.documentElement,
+					testScript = document.createElement("script"),
+					id = "script" + jQuery.now();
+				testScript.type = "text/javascript";
+				try {
+					testScript.appendChild( document.createTextNode( "window." + id + "=1;" ) );
+				} catch(e) {}
+
+				root.insertBefore( testScript, root.firstChild );
+
+				// Make sure that the execution of code works by injecting a script
+				// tag with appendChild/createTextNode
+				// (IE doesn't support this, fails, and uses .text instead)
+				if ( window[ id ] ) {
+					jQuery.support.scriptEval = true;
+					delete window[ id ];
+				}
+				else {
+					jQuery.support.scriptEval = false;
+				}
+
+				root.removeChild( testScript );
+	      // release memory in IE
+	      root = testScript = id = null;
+			}
+
 			if ( jQuery.support.scriptEval ) {
 				script.appendChild( document.createTextNode( data ) );
 			} else {

src/support.js

@@ -4,10 +4,7 @@
 
 	jQuery.support = {};
 
-	var root = document.documentElement,
-		script = document.createElement("script"),
-		div = document.createElement("div"),
-		id = "script" + jQuery.now();
+	var div = document.createElement("div");
 
 	div.style.display = "none";
 	div.innerHTML = "   <link/><table></table><a href='/a' style='color:red;float:left;opacity:.55;'>a</a><input type='checkbox'/>";
@@ -64,7 +61,7 @@
 		deleteExpando: true,
 		optDisabled: false,
 		checkClone: false,
-		scriptEval: false,
+		scriptEval: null,
 		noCloneEvent: true,
 		boxModel: null,
 		inlineBlockNeedsLayout: false,
@@ -77,32 +74,15 @@
 	select.disabled = true;
 	jQuery.support.optDisabled = !opt.disabled;
 
-	script.type = "text/javascript";
-	try {
-		script.appendChild( document.createTextNode( "window." + id + "=1;" ) );
-	} catch(e) {}
-
-	root.insertBefore( script, root.firstChild );
-
-	// Make sure that the execution of code works by injecting a script
-	// tag with appendChild/createTextNode
-	// (IE doesn't support this, fails, and uses .text instead)
-	if ( window[ id ] ) {
-		jQuery.support.scriptEval = true;
-		delete window[ id ];
-	}
-
 	// Test to see if it's possible to delete an expando from an element
 	// Fails in Internet Explorer
 	try {
-		delete script.test;
+		delete div.test;
 
 	} catch(e) {
 		jQuery.support.deleteExpando = false;
 	}
 
-	root.removeChild( script );
-
 	if ( div.attachEvent && div.fireEvent ) {
 		div.attachEvent("onclick", function click() {
 			// Cloning a node shouldn't copy over any
@@ -179,7 +159,7 @@
 
 		var isSupported = (eventName in el);
 		if ( !isSupported ) {
-			el.setAttribute(eventName, "return;");
+			el.addEventListener(eventName, function() { return; }, true);
 			isSupported = typeof el[eventName] === "function";
 		}
 		el = null;
@@ -191,6 +171,6 @@
 	jQuery.support.changeBubbles = eventSupported("change");
 
 	// release memory in IE
-	root = script = div = all = a = null;
+	div = all = a = null;
 })();
 })( jQuery );