fix(Angular): do not auto bootstrap if the script source is bad and inside SVG
This commit is contained in:
+29
-21
@@ -1532,33 +1532,41 @@ function getNgAttribute(element, ngAttr) {
|
||||
|
||||
function allowAutoBootstrap(document) {
|
||||
var script = document.currentScript;
|
||||
var src = script && script.getAttribute('src');
|
||||
|
||||
if (!src) {
|
||||
if (!script) {
|
||||
// IE does not have `document.currentScript`
|
||||
return true;
|
||||
}
|
||||
|
||||
var link = document.createElement('a');
|
||||
link.href = src;
|
||||
var srcs = [script.getAttribute('src'), script.getAttribute('href'), script.getAttribute('xlink:href')];
|
||||
|
||||
if (document.location.origin === link.origin) {
|
||||
// Same-origin resources are always allowed, even for non-whitelisted schemes.
|
||||
return true;
|
||||
}
|
||||
// Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web.
|
||||
// This is to prevent angular.js bundled with browser extensions from being used to bypass the
|
||||
// content security policy in web pages and other browser extensions.
|
||||
switch (link.protocol) {
|
||||
case 'http:':
|
||||
case 'https:':
|
||||
case 'ftp:':
|
||||
case 'blob:':
|
||||
case 'file:':
|
||||
case 'data:':
|
||||
return srcs.every(function(src) {
|
||||
if (!src) {
|
||||
return true;
|
||||
default:
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
var link = document.createElement('a');
|
||||
link.href = src;
|
||||
|
||||
if (document.location.origin === link.origin) {
|
||||
// Same-origin resources are always allowed, even for non-whitelisted schemes.
|
||||
return true;
|
||||
}
|
||||
// Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web.
|
||||
// This is to prevent angular.js bundled with browser extensions from being used to bypass the
|
||||
// content security policy in web pages and other browser extensions.
|
||||
switch (link.protocol) {
|
||||
case 'http:':
|
||||
case 'https:':
|
||||
case 'ftp:':
|
||||
case 'blob:':
|
||||
case 'file:':
|
||||
case 'data:':
|
||||
return true;
|
||||
default:
|
||||
return false;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
// Cached as it has to run during loading so that document.currentScript is available.
|
||||
|
||||
@@ -1771,6 +1771,19 @@ describe('angular', function() {
|
||||
expect(allowAutoBootstrap(createFakeDoc({src: 'file://whatever'}))).toBe(true);
|
||||
});
|
||||
|
||||
it('should not bootstrap from an extension into a non-extension document, via SVG script', function() {
|
||||
|
||||
// SVG script tags don't use the `src` attribute to load their source.
|
||||
// Instead they use `href` or the deprecated `xlink:href` attributes.
|
||||
|
||||
expect(allowAutoBootstrap(createFakeDoc({href: 'resource://something'}))).toBe(false);
|
||||
expect(allowAutoBootstrap(createFakeDoc({'xlink:href': 'resource://something'}))).toBe(false);
|
||||
|
||||
expect(allowAutoBootstrap(createFakeDoc({src: 'http://something', href: 'resource://something'}))).toBe(false);
|
||||
expect(allowAutoBootstrap(createFakeDoc({href: 'http://something', 'xlink:href': 'resource://something'}))).toBe(false);
|
||||
expect(allowAutoBootstrap(createFakeDoc({src: 'resource://something', href: 'http://something', 'xlink:href': 'http://something'}))).toBe(false);
|
||||
});
|
||||
|
||||
it('should not bootstrap if bootstrapping is disabled', function() {
|
||||
isAutoBootstrapAllowed = false;
|
||||
angularInit(jqLite('<div ng-app></div>')[0], bootstrapSpy);
|
||||
|
||||
Reference in New Issue
Block a user