fix(Angular): do not auto bootstrap if the script source is bad and inside SVG

This commit is contained in:
Peter Bacon Darwin
2017-02-24 12:27:19 +00:00
parent c357b1aba6
commit a649758655
2 changed files with 42 additions and 21 deletions
+29 -21
View File
@@ -1532,33 +1532,41 @@ function getNgAttribute(element, ngAttr) {
function allowAutoBootstrap(document) {
var script = document.currentScript;
var src = script && script.getAttribute('src');
if (!src) {
if (!script) {
// IE does not have `document.currentScript`
return true;
}
var link = document.createElement('a');
link.href = src;
var srcs = [script.getAttribute('src'), script.getAttribute('href'), script.getAttribute('xlink:href')];
if (document.location.origin === link.origin) {
// Same-origin resources are always allowed, even for non-whitelisted schemes.
return true;
}
// Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web.
// This is to prevent angular.js bundled with browser extensions from being used to bypass the
// content security policy in web pages and other browser extensions.
switch (link.protocol) {
case 'http:':
case 'https:':
case 'ftp:':
case 'blob:':
case 'file:':
case 'data:':
return srcs.every(function(src) {
if (!src) {
return true;
default:
return false;
}
}
var link = document.createElement('a');
link.href = src;
if (document.location.origin === link.origin) {
// Same-origin resources are always allowed, even for non-whitelisted schemes.
return true;
}
// Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web.
// This is to prevent angular.js bundled with browser extensions from being used to bypass the
// content security policy in web pages and other browser extensions.
switch (link.protocol) {
case 'http:':
case 'https:':
case 'ftp:':
case 'blob:':
case 'file:':
case 'data:':
return true;
default:
return false;
}
});
}
// Cached as it has to run during loading so that document.currentScript is available.
+13
View File
@@ -1771,6 +1771,19 @@ describe('angular', function() {
expect(allowAutoBootstrap(createFakeDoc({src: 'file://whatever'}))).toBe(true);
});
it('should not bootstrap from an extension into a non-extension document, via SVG script', function() {
// SVG script tags don't use the `src` attribute to load their source.
// Instead they use `href` or the deprecated `xlink:href` attributes.
expect(allowAutoBootstrap(createFakeDoc({href: 'resource://something'}))).toBe(false);
expect(allowAutoBootstrap(createFakeDoc({'xlink:href': 'resource://something'}))).toBe(false);
expect(allowAutoBootstrap(createFakeDoc({src: 'http://something', href: 'resource://something'}))).toBe(false);
expect(allowAutoBootstrap(createFakeDoc({href: 'http://something', 'xlink:href': 'resource://something'}))).toBe(false);
expect(allowAutoBootstrap(createFakeDoc({src: 'resource://something', href: 'http://something', 'xlink:href': 'http://something'}))).toBe(false);
});
it('should not bootstrap if bootstrapping is disabled', function() {
isAutoBootstrapAllowed = false;
angularInit(jqLite('<div ng-app></div>')[0], bootstrapSpy);