I kind of imagine we will one day have a basic poly fill for all the cross platform issues jQuery actually excels at, and then we truly won’t need jQuery since that’s all it’s really good at these days. Things like chaining are an anti pattern and lead to brittle code!
Most DOM manipulation in jQuery goes through jQuery.globalEval, which uses eval(). Meaning if you want to have a CSP, you have to allow unsafe-eval if you need to support jQuery.
CSP is an incredibly useful tool, and it’s close to impossible to use it properly with jQuery.
First concrete, legitimate reason I've seen all thread. Is there something fundamental about jQuery's design that forces it to use eval(), or is it possible a new version could avoids that?
>By design, any jQuery constructor or method that accepts an HTML string — jQuery(), .append(), .after(), etc. — can potentially execute code
This makes jQuery less safe in general, but I think the CSP restrictions this puts in place are probably a greater issue for most people. I’ve been involved in retro-fitting strict CSPs into a few projects, and more than once I’ve been thwarted by very minor use of jQuery in a couple of places.
It's part of the design of the creation of new elements. But that's just one part of jQuery, and a part I would be completely okay with jQuery getting rid of.
