| 1515 | } |
| 1516 | |
| 1517 | function allowAutoBootstrap(document) { |
| 1518 | var script = document.currentScript; |
| 1519 | var src = script && script.getAttribute('src'); |
| 1520 | |
| 1521 | if (!src) { |
| 1522 | return true; |
| 1523 | } |
| 1524 | |
| 1525 | var link = document.createElement('a'); |
| 1526 | link.href = src; |
| 1527 | |
| 1528 | if (document.location.origin === link.origin) { |
| 1529 | // Same-origin resources are always allowed, even for non-whitelisted schemes. |
| 1530 | return true; |
| 1531 | } |
| 1532 | // Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web. |
| 1533 | // This is to prevent angular.js bundled with browser extensions from being used to bypass the |
| 1534 | // content security policy in web pages and other browser extensions. |
| 1535 | switch (link.protocol) { |
| 1536 | case 'http:': |
| 1537 | case 'https:': |
| 1538 | case 'ftp:': |
| 1539 | case 'blob:': |
| 1540 | case 'file:': |
| 1541 | case 'data:': |
| 1542 | return true; |
| 1543 | default: |
| 1544 | return false; |
| 1545 | } |
| 1546 | } |
| 1547 | |
| 1548 | // Cached as it has to run during loading so that document.currentScript is available. |
| 1549 | var isAutoBootstrapAllowed = allowAutoBootstrap(window.document); |