Prototype.js registers an event handler in a way that triggers CSP errors

[april]

This particular bit of code:

  var PROBLEMATIC_ATTRIBUTE_READING = (function() {
    DIV.setAttribute('onclick', []);
    var value = DIV.getAttribute('onclick');
    var isFunction = Object.isArray(value);
    DIV.removeAttribute('onclick');
    return isFunction;
  })();

Will trigger warnings in Firefox and Edge when 'unsafe-inline' execution of JavaScript is blocked via CSP. This code could perhaps be removed entirely; alternatively, it could use addEventListener(), which does not cause the same CSP errors.

See also:
https://bugzilla.mozilla.org/show_bug.cgi?id=1296027
https://bugs.chromium.org/p/chromium/issues/detail?id=638957

Thanks!

[jwestbrook]

This block of code is a feature detection to determine if the browser has a problem setting and retrieving a function or array as the onclick attribute. After this block it is not used anymore and will use the bool PROBLEMATIC_ATTRIBUTE_READING flag to determine how further features should be implemented.

In the github master branch this block has been removed as it was mainly for older browsers. This should be resolved at next release.

[april]

Awesome, that's great to hear! Thanks much!

[candrews]

In prototype 1.7.3 (the current latest version), I changed lines 2776-2278 from:

  })();

  if (PROBLEMATIC_ATTRIBUTE_READING) {

to

  });

  if (Prototype.Browser.IE && PROBLEMATIC_ATTRIBUTE_READING()) {

as a workaround for this issue that doesn't also drop compatibility with old browsers which https://github.com/prototypejs/prototype/pull/307/files#diff-6fef80e8642914b14295c6c309ca4cff26e719fb7891045faa3ab5069a10f5e7 does (that's the change referenced in earlier comment #320 (comment) )