MCPcopy
hub / github.com/angular-ui/ui-grid / allowAutoBootstrap

Function allowAutoBootstrap

lib/test/angular/1.7.0/angular.js:1605–1652  ·  view source on GitHub ↗
(document)

Source from the content-addressed store, hash-verified

1603}
1604
1605function allowAutoBootstrap(document) {
1606 var script = document.currentScript;
1607
1608 if (!script) {
1609 // Support: IE 9-11 only
1610 // IE does not have `document.currentScript`
1611 return true;
1612 }
1613
1614 // If the `currentScript` property has been clobbered just return false, since this indicates a probable attack
1615 if (!(script instanceof window.HTMLScriptElement || script instanceof window.SVGScriptElement)) {
1616 return false;
1617 }
1618
1619 var attributes = script.attributes;
1620 var srcs = [attributes.getNamedItem('src'), attributes.getNamedItem('href'), attributes.getNamedItem('xlink:href')];
1621
1622 return srcs.every(function(src) {
1623 if (!src) {
1624 return true;
1625 }
1626 if (!src.value) {
1627 return false;
1628 }
1629
1630 var link = document.createElement('a');
1631 link.href = src.value;
1632
1633 if (document.location.origin === link.origin) {
1634 // Same-origin resources are always allowed, even for non-whitelisted schemes.
1635 return true;
1636 }
1637 // Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web.
1638 // This is to prevent angular.js bundled with browser extensions from being used to bypass the
1639 // content security policy in web pages and other browser extensions.
1640 switch (link.protocol) {
1641 case 'http:':
1642 case 'https:':
1643 case 'ftp:':
1644 case 'blob:':
1645 case 'file:':
1646 case 'data:':
1647 return true;
1648 default:
1649 return false;
1650 }
1651 });
1652}
1653
1654// Cached as it has to run during loading so that document.currentScript is available.
1655var isAutoBootstrapAllowed = allowAutoBootstrap(window.document);

Callers 1

angular.jsFile · 0.70

Calls

no outgoing calls

Tested by

no test coverage detected