MCPcopy
hub / github.com/ampproject/amphtml / getCustomBootstrapBaseUrl

Function getCustomBootstrapBaseUrl

src/3p-frame.js:344–375  ·  view source on GitHub ↗

* Returns the custom base URL for 3p bootstrap iframes if it exists. * Otherwise null. * @param {!Window} parentWindow * @param {!./service/ampdoc-impl.AmpDoc} ampdoc * @param {boolean=} opt_strictForUnitTest * @return {?string}

(
  parentWindow,
  ampdoc,
  opt_strictForUnitTest
)

Source from the content-addressed store, hash-verified

342 * @return {?string}
343 */
344function getCustomBootstrapBaseUrl(
345 parentWindow,
346 ampdoc,
347 opt_strictForUnitTest
348) {
349 const meta = ampdoc.getMetaByName('amp-3p-iframe-src');
350 if (!meta) {
351 return null;
352 }
353 const url = assertHttpsUrl(meta, 'meta[name="amp-3p-iframe-src"]');
354 userAssert(
355 url.indexOf('?') == -1,
356 '3p iframe url must not include query string %s in element %s.',
357 url,
358 meta
359 );
360 // This is not a security primitive, we just don't want this to happen in
361 // practice. People could still redirect to the same origin, but they cannot
362 // redirect to the proxy origin which is the important one.
363 const parsed = parseUrlDeprecated(url);
364 userAssert(
365 (parsed.hostname == 'localhost' && !opt_strictForUnitTest) ||
366 parsed.origin != parseUrlDeprecated(parentWindow.location.href).origin,
367 '3p iframe url must not be on the same origin as the current document ' +
368 '%s (%s) in element %s. See https://github.com/ampproject/amphtml' +
369 '/blob/main/docs/spec/amp-iframe-origin-policy.md for details.',
370 url,
371 parsed.origin,
372 meta
373 );
374 return `${url}?${mode.version()}`;
375}
376
377/**
378 * Applies a sandbox to the iframe, if the required flags can be allowed.

Callers 1

getBootstrapBaseUrlFunction · 0.85

Calls 4

assertHttpsUrlFunction · 0.90
userAssertFunction · 0.90
parseUrlDeprecatedFunction · 0.90
getMetaByNameMethod · 0.80

Tested by

no test coverage detected