MCPcopy Index your code
hub / github.com/angular-ui/ui-grid / allowAutoBootstrap

Function allowAutoBootstrap

lib/test/angular/1.6.7/angular.js:1637–1684  ·  view source on GitHub ↗
(document)

Source from the content-addressed store, hash-verified

1635}
1636
1637function allowAutoBootstrap(document) {
1638 var script = document.currentScript;
1639
1640 if (!script) {
1641 // Support: IE 9-11 only
1642 // IE does not have `document.currentScript`
1643 return true;
1644 }
1645
1646 // If the `currentScript` property has been clobbered just return false, since this indicates a probable attack
1647 if (!(script instanceof window.HTMLScriptElement || script instanceof window.SVGScriptElement)) {
1648 return false;
1649 }
1650
1651 var attributes = script.attributes;
1652 var srcs = [attributes.getNamedItem('src'), attributes.getNamedItem('href'), attributes.getNamedItem('xlink:href')];
1653
1654 return srcs.every(function(src) {
1655 if (!src) {
1656 return true;
1657 }
1658 if (!src.value) {
1659 return false;
1660 }
1661
1662 var link = document.createElement('a');
1663 link.href = src.value;
1664
1665 if (document.location.origin === link.origin) {
1666 // Same-origin resources are always allowed, even for non-whitelisted schemes.
1667 return true;
1668 }
1669 // Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web.
1670 // This is to prevent angular.js bundled with browser extensions from being used to bypass the
1671 // content security policy in web pages and other browser extensions.
1672 switch (link.protocol) {
1673 case 'http:':
1674 case 'https:':
1675 case 'ftp:':
1676 case 'blob:':
1677 case 'file:':
1678 case 'data:':
1679 return true;
1680 default:
1681 return false;
1682 }
1683 });
1684}
1685
1686// Cached as it has to run during loading so that document.currentScript is available.
1687var isAutoBootstrapAllowed = allowAutoBootstrap(window.document);

Callers 1

angular.jsFile · 0.70

Calls

no outgoing calls

Tested by

no test coverage detected