| 1645 | } |
| 1646 | |
| 1647 | function allowAutoBootstrap(document) { |
| 1648 | var script = document.currentScript; |
| 1649 | |
| 1650 | if (!script) { |
| 1651 | // Support: IE 9-11 only |
| 1652 | // IE does not have `document.currentScript` |
| 1653 | return true; |
| 1654 | } |
| 1655 | |
| 1656 | // If the `currentScript` property has been clobbered just return false, since this indicates a probable attack |
| 1657 | if (!(script instanceof window.HTMLScriptElement || script instanceof window.SVGScriptElement)) { |
| 1658 | return false; |
| 1659 | } |
| 1660 | |
| 1661 | var attributes = script.attributes; |
| 1662 | var srcs = [attributes.getNamedItem('src'), attributes.getNamedItem('href'), attributes.getNamedItem('xlink:href')]; |
| 1663 | |
| 1664 | return srcs.every(function(src) { |
| 1665 | if (!src) { |
| 1666 | return true; |
| 1667 | } |
| 1668 | if (!src.value) { |
| 1669 | return false; |
| 1670 | } |
| 1671 | |
| 1672 | var link = document.createElement('a'); |
| 1673 | link.href = src.value; |
| 1674 | |
| 1675 | if (document.location.origin === link.origin) { |
| 1676 | // Same-origin resources are always allowed, even for non-whitelisted schemes. |
| 1677 | return true; |
| 1678 | } |
| 1679 | // Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web. |
| 1680 | // This is to prevent angular.js bundled with browser extensions from being used to bypass the |
| 1681 | // content security policy in web pages and other browser extensions. |
| 1682 | switch (link.protocol) { |
| 1683 | case 'http:': |
| 1684 | case 'https:': |
| 1685 | case 'ftp:': |
| 1686 | case 'blob:': |
| 1687 | case 'file:': |
| 1688 | case 'data:': |
| 1689 | return true; |
| 1690 | default: |
| 1691 | return false; |
| 1692 | } |
| 1693 | }); |
| 1694 | } |
| 1695 | |
| 1696 | // Cached as it has to run during loading so that document.currentScript is available. |
| 1697 | var isAutoBootstrapAllowed = allowAutoBootstrap(window.document); |