MCPcopy
hub / github.com/angular-ui/ui-router / allowAutoBootstrap

Function allowAutoBootstrap

test/angular/1.6/angular.js:1647–1694  ·  view source on GitHub ↗
(document)

Source from the content-addressed store, hash-verified

1645}
1646
1647function allowAutoBootstrap(document) {
1648 var script = document.currentScript;
1649
1650 if (!script) {
1651 // Support: IE 9-11 only
1652 // IE does not have `document.currentScript`
1653 return true;
1654 }
1655
1656 // If the `currentScript` property has been clobbered just return false, since this indicates a probable attack
1657 if (!(script instanceof window.HTMLScriptElement || script instanceof window.SVGScriptElement)) {
1658 return false;
1659 }
1660
1661 var attributes = script.attributes;
1662 var srcs = [attributes.getNamedItem('src'), attributes.getNamedItem('href'), attributes.getNamedItem('xlink:href')];
1663
1664 return srcs.every(function(src) {
1665 if (!src) {
1666 return true;
1667 }
1668 if (!src.value) {
1669 return false;
1670 }
1671
1672 var link = document.createElement('a');
1673 link.href = src.value;
1674
1675 if (document.location.origin === link.origin) {
1676 // Same-origin resources are always allowed, even for non-whitelisted schemes.
1677 return true;
1678 }
1679 // Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web.
1680 // This is to prevent angular.js bundled with browser extensions from being used to bypass the
1681 // content security policy in web pages and other browser extensions.
1682 switch (link.protocol) {
1683 case 'http:':
1684 case 'https:':
1685 case 'ftp:':
1686 case 'blob:':
1687 case 'file:':
1688 case 'data:':
1689 return true;
1690 default:
1691 return false;
1692 }
1693 });
1694}
1695
1696// Cached as it has to run during loading so that document.currentScript is available.
1697var isAutoBootstrapAllowed = allowAutoBootstrap(window.document);

Callers 1

angular.jsFile · 0.70

Calls

no outgoing calls

Tested by

no test coverage detected