* @param {string} authorUrl * @param {string} debugId An element identifier for error messages. * @return {!Promise }
(authorUrl, debugId)
| 434 | * @return {!Promise<string>} |
| 435 | */ |
| 436 | fetchAuthorScript_(authorUrl, debugId) { |
| 437 | return Services.xhrFor(this.win) |
| 438 | .fetchText(authorUrl, {ampCors: false}) |
| 439 | .then((response) => { |
| 440 | if (response.url && this.sameOrigin_(response.url)) { |
| 441 | // Disallow non-JS content type for same-origin scripts. |
| 442 | const contentType = response.headers.get('Content-Type'); |
| 443 | if ( |
| 444 | !contentType || |
| 445 | !( |
| 446 | contentType.startsWith('application/javascript') || |
| 447 | contentType.startsWith('text/javascript') |
| 448 | ) |
| 449 | ) { |
| 450 | // TODO(#24266): Refactor to %s interpolation when error string |
| 451 | // extraction is ready. |
| 452 | throw user().createError( |
| 453 | TAG, |
| 454 | 'Same-origin "src" requires "Content-Type: text/javascript" or "Content-Type: application/javascript". ' + |
| 455 | `Fetched source for ${debugId} has "Content-Type: ${contentType}". ` + |
| 456 | 'See https://amp.dev/documentation/components/amp-script/#security-features.' |
| 457 | ); |
| 458 | } |
| 459 | return response.text(); |
| 460 | } else { |
| 461 | // For cross-origin, verify hash of script itself (skip in |
| 462 | // development and sandboxed mode). |
| 463 | if (this.development_ || this.sandboxed_) { |
| 464 | return response.text(); |
| 465 | } else { |
| 466 | return response.text().then((text) => { |
| 467 | return this.service_.checkSha384(text, debugId).then(() => text); |
| 468 | }); |
| 469 | } |
| 470 | } |
| 471 | }); |
| 472 | } |
| 473 | |
| 474 | /** |
| 475 | * Returns true iff `url` has the same origin as the AMP document. |
no test coverage detected