MCPcopy Index your code
hub / github.com/angular-ui/ui-router / allowAutoBootstrap

Function allowAutoBootstrap

test/angular/1.7/angular.js:1644–1691  ·  view source on GitHub ↗
(document)

Source from the content-addressed store, hash-verified

1642}
1643
1644function allowAutoBootstrap(document) {
1645 var script = document.currentScript;
1646
1647 if (!script) {
1648 // Support: IE 9-11 only
1649 // IE does not have `document.currentScript`
1650 return true;
1651 }
1652
1653 // If the `currentScript` property has been clobbered just return false, since this indicates a probable attack
1654 if (!(script instanceof window.HTMLScriptElement || script instanceof window.SVGScriptElement)) {
1655 return false;
1656 }
1657
1658 var attributes = script.attributes;
1659 var srcs = [attributes.getNamedItem('src'), attributes.getNamedItem('href'), attributes.getNamedItem('xlink:href')];
1660
1661 return srcs.every(function(src) {
1662 if (!src) {
1663 return true;
1664 }
1665 if (!src.value) {
1666 return false;
1667 }
1668
1669 var link = document.createElement('a');
1670 link.href = src.value;
1671
1672 if (document.location.origin === link.origin) {
1673 // Same-origin resources are always allowed, even for non-whitelisted schemes.
1674 return true;
1675 }
1676 // Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web.
1677 // This is to prevent angular.js bundled with browser extensions from being used to bypass the
1678 // content security policy in web pages and other browser extensions.
1679 switch (link.protocol) {
1680 case 'http:':
1681 case 'https:':
1682 case 'ftp:':
1683 case 'blob:':
1684 case 'file:':
1685 case 'data:':
1686 return true;
1687 default:
1688 return false;
1689 }
1690 });
1691}
1692
1693// Cached as it has to run during loading so that document.currentScript is available.
1694var isAutoBootstrapAllowed = allowAutoBootstrap(window.document);

Callers 1

angular.jsFile · 0.70

Calls

no outgoing calls

Tested by

no test coverage detected