fix(angularInit): allow auto-bootstraping from inline script

Some browsers (e.g. Safari 9.x, PhantomJS) do not set `link.origin/protocol`
correctly, when setting `link.href` to `null`, which prevented auto-bootstraping
Angular from scripts without a `src` attribute (i.e. inline scripts).
Inline scripts are on the same origin as the loading page, so auto-bootstraping
should be allowed.

Fixes #15567

Closes #15571
This commit is contained in:
Georgios Kalpakas
2017-01-03 16:55:38 +02:00
parent 090a839ac9
commit 0694af8fc4
2 changed files with 29 additions and 4 deletions
+6 -2
View File
@@ -1479,12 +1479,16 @@ function getNgAttribute(element, ngAttr) {
}
function allowAutoBootstrap(document) {
if (!document.currentScript) {
var script = document.currentScript;
var src = script && script.getAttribute('src');
if (!src) {
return true;
}
var src = document.currentScript.getAttribute('src');
var link = document.createElement('a');
link.href = src;
if (document.location.origin === link.origin) {
// Same-origin resources are always allowed, even for non-whitelisted schemes.
return true;
+23 -2
View File
@@ -1684,7 +1684,8 @@ describe('angular', function() {
});
it('should bootstrap from an extension into an extension document for same-origin documents only', function() {
if (msie) return; // IE does not support document.currentScript (nor extensions with protocol), so skip test.
// IE does not support `document.currentScript` (nor extensions with protocol), so skip test.
if (msie) return;
// Extension URLs are browser-specific, so we must choose a scheme that is supported by the browser to make
// sure that the URL is properly parsed.
@@ -1715,8 +1716,28 @@ describe('angular', function() {
expect(allowAutoBootstrap(fakeDoc)).toBe(false);
});
it('should bootstrap from a script with an empty or missing `src` attribute', function() {
// IE does not support `document.currentScript` (nor extensions with protocol), so skip test.
if (msie) return;
// Fake a minimal document object (the actual document.currentScript is readonly).
var src;
var fakeDoc = {
createElement: document.createElement.bind(document),
currentScript: {getAttribute: function() { return src; }},
location: {origin: 'some-value', protocol: 'http:'}
};
src = null;
expect(allowAutoBootstrap(fakeDoc)).toBe(true);
src = '';
expect(allowAutoBootstrap(fakeDoc)).toBe(true);
});
it('should not bootstrap from an extension into a non-extension document', function() {
if (msie) return; // IE does not support document.currentScript (nor extensions with protocol), so skip test.
// IE does not support `document.currentScript` (nor extensions with protocol), so skip test.
if (msie) return;
var src = 'resource://something';
// Fake a minimal document object (the actual document.currentScript is readonly).