MCPcopy
hub / github.com/angular-ui/ui-grid / allowAutoBootstrap

Function allowAutoBootstrap

lib/test/angular/1.8.0/angular.js:1645–1692  ·  view source on GitHub ↗
(document)

Source from the content-addressed store, hash-verified

1643}
1644
1645function allowAutoBootstrap(document) {
1646 var script = document.currentScript;
1647
1648 if (!script) {
1649 // Support: IE 9-11 only
1650 // IE does not have `document.currentScript`
1651 return true;
1652 }
1653
1654 // If the `currentScript` property has been clobbered just return false, since this indicates a probable attack
1655 if (!(script instanceof window.HTMLScriptElement || script instanceof window.SVGScriptElement)) {
1656 return false;
1657 }
1658
1659 var attributes = script.attributes;
1660 var srcs = [attributes.getNamedItem('src'), attributes.getNamedItem('href'), attributes.getNamedItem('xlink:href')];
1661
1662 return srcs.every(function(src) {
1663 if (!src) {
1664 return true;
1665 }
1666 if (!src.value) {
1667 return false;
1668 }
1669
1670 var link = document.createElement('a');
1671 link.href = src.value;
1672
1673 if (document.location.origin === link.origin) {
1674 // Same-origin resources are always allowed, even for non-whitelisted schemes.
1675 return true;
1676 }
1677 // Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web.
1678 // This is to prevent angular.js bundled with browser extensions from being used to bypass the
1679 // content security policy in web pages and other browser extensions.
1680 switch (link.protocol) {
1681 case 'http:':
1682 case 'https:':
1683 case 'ftp:':
1684 case 'blob:':
1685 case 'file:':
1686 case 'data:':
1687 return true;
1688 default:
1689 return false;
1690 }
1691 });
1692}
1693
1694// Cached as it has to run during loading so that document.currentScript is available.
1695var isAutoBootstrapAllowed = allowAutoBootstrap(window.document);

Callers 1

angular.jsFile · 0.70

Calls

no outgoing calls

Tested by

no test coverage detected