MCPcopy
hub / github.com/ampproject/amphtml / fetchAuthorScript_

Method fetchAuthorScript_

extensions/amp-script/0.1/amp-script.js:436–472  ·  view source on GitHub ↗

* @param {string} authorUrl * @param {string} debugId An element identifier for error messages. * @return {!Promise }

(authorUrl, debugId)

Source from the content-addressed store, hash-verified

434 * @return {!Promise<string>}
435 */
436 fetchAuthorScript_(authorUrl, debugId) {
437 return Services.xhrFor(this.win)
438 .fetchText(authorUrl, {ampCors: false})
439 .then((response) => {
440 if (response.url && this.sameOrigin_(response.url)) {
441 // Disallow non-JS content type for same-origin scripts.
442 const contentType = response.headers.get('Content-Type');
443 if (
444 !contentType ||
445 !(
446 contentType.startsWith('application/javascript') ||
447 contentType.startsWith('text/javascript')
448 )
449 ) {
450 // TODO(#24266): Refactor to %s interpolation when error string
451 // extraction is ready.
452 throw user().createError(
453 TAG,
454 'Same-origin "src" requires "Content-Type: text/javascript" or "Content-Type: application/javascript". ' +
455 `Fetched source for ${debugId} has "Content-Type: ${contentType}". ` +
456 'See https://amp.dev/documentation/components/amp-script/#security-features.'
457 );
458 }
459 return response.text();
460 } else {
461 // For cross-origin, verify hash of script itself (skip in
462 // development and sandboxed mode).
463 if (this.development_ || this.sandboxed_) {
464 return response.text();
465 } else {
466 return response.text().then((text) => {
467 return this.service_.checkSha384(text, debugId).then(() => text);
468 });
469 }
470 }
471 });
472 }
473
474 /**
475 * Returns true iff `url` has the same origin as the AMP document.

Callers 1

getAuthorScript_Method · 0.95

Calls 8

sameOrigin_Method · 0.95
userFunction · 0.90
fetchTextMethod · 0.80
checkSha384Method · 0.80
thenMethod · 0.45
getMethod · 0.45
createErrorMethod · 0.45
textMethod · 0.45

Tested by

no test coverage detected