| 1603 | } |
| 1604 | |
| 1605 | function allowAutoBootstrap(document) { |
| 1606 | var script = document.currentScript; |
| 1607 | |
| 1608 | if (!script) { |
| 1609 | // Support: IE 9-11 only |
| 1610 | // IE does not have `document.currentScript` |
| 1611 | return true; |
| 1612 | } |
| 1613 | |
| 1614 | // If the `currentScript` property has been clobbered just return false, since this indicates a probable attack |
| 1615 | if (!(script instanceof window.HTMLScriptElement || script instanceof window.SVGScriptElement)) { |
| 1616 | return false; |
| 1617 | } |
| 1618 | |
| 1619 | var attributes = script.attributes; |
| 1620 | var srcs = [attributes.getNamedItem('src'), attributes.getNamedItem('href'), attributes.getNamedItem('xlink:href')]; |
| 1621 | |
| 1622 | return srcs.every(function(src) { |
| 1623 | if (!src) { |
| 1624 | return true; |
| 1625 | } |
| 1626 | if (!src.value) { |
| 1627 | return false; |
| 1628 | } |
| 1629 | |
| 1630 | var link = document.createElement('a'); |
| 1631 | link.href = src.value; |
| 1632 | |
| 1633 | if (document.location.origin === link.origin) { |
| 1634 | // Same-origin resources are always allowed, even for non-whitelisted schemes. |
| 1635 | return true; |
| 1636 | } |
| 1637 | // Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web. |
| 1638 | // This is to prevent angular.js bundled with browser extensions from being used to bypass the |
| 1639 | // content security policy in web pages and other browser extensions. |
| 1640 | switch (link.protocol) { |
| 1641 | case 'http:': |
| 1642 | case 'https:': |
| 1643 | case 'ftp:': |
| 1644 | case 'blob:': |
| 1645 | case 'file:': |
| 1646 | case 'data:': |
| 1647 | return true; |
| 1648 | default: |
| 1649 | return false; |
| 1650 | } |
| 1651 | }); |
| 1652 | } |
| 1653 | |
| 1654 | // Cached as it has to run during loading so that document.currentScript is available. |
| 1655 | var isAutoBootstrapAllowed = allowAutoBootstrap(window.document); |