fix(angularInit): allow auto-bootstraping from inline script
Some browsers (e.g. Safari 9.x, PhantomJS) do not set `link.origin/protocol` correctly, when setting `link.href` to `null`, which prevented auto-bootstraping Angular from scripts without a `src` attribute (i.e. inline scripts). Inline scripts are on the same origin as the loading page, so auto-bootstraping should be allowed. Fixes #15567 Closes #15571
This commit is contained in:
+6
-2
@@ -1479,12 +1479,16 @@ function getNgAttribute(element, ngAttr) {
|
||||
}
|
||||
|
||||
function allowAutoBootstrap(document) {
|
||||
if (!document.currentScript) {
|
||||
var script = document.currentScript;
|
||||
var src = script && script.getAttribute('src');
|
||||
|
||||
if (!src) {
|
||||
return true;
|
||||
}
|
||||
var src = document.currentScript.getAttribute('src');
|
||||
|
||||
var link = document.createElement('a');
|
||||
link.href = src;
|
||||
|
||||
if (document.location.origin === link.origin) {
|
||||
// Same-origin resources are always allowed, even for non-whitelisted schemes.
|
||||
return true;
|
||||
|
||||
+23
-2
@@ -1684,7 +1684,8 @@ describe('angular', function() {
|
||||
});
|
||||
|
||||
it('should bootstrap from an extension into an extension document for same-origin documents only', function() {
|
||||
if (msie) return; // IE does not support document.currentScript (nor extensions with protocol), so skip test.
|
||||
// IE does not support `document.currentScript` (nor extensions with protocol), so skip test.
|
||||
if (msie) return;
|
||||
|
||||
// Extension URLs are browser-specific, so we must choose a scheme that is supported by the browser to make
|
||||
// sure that the URL is properly parsed.
|
||||
@@ -1715,8 +1716,28 @@ describe('angular', function() {
|
||||
expect(allowAutoBootstrap(fakeDoc)).toBe(false);
|
||||
});
|
||||
|
||||
it('should bootstrap from a script with an empty or missing `src` attribute', function() {
|
||||
// IE does not support `document.currentScript` (nor extensions with protocol), so skip test.
|
||||
if (msie) return;
|
||||
|
||||
// Fake a minimal document object (the actual document.currentScript is readonly).
|
||||
var src;
|
||||
var fakeDoc = {
|
||||
createElement: document.createElement.bind(document),
|
||||
currentScript: {getAttribute: function() { return src; }},
|
||||
location: {origin: 'some-value', protocol: 'http:'}
|
||||
};
|
||||
|
||||
src = null;
|
||||
expect(allowAutoBootstrap(fakeDoc)).toBe(true);
|
||||
|
||||
src = '';
|
||||
expect(allowAutoBootstrap(fakeDoc)).toBe(true);
|
||||
});
|
||||
|
||||
it('should not bootstrap from an extension into a non-extension document', function() {
|
||||
if (msie) return; // IE does not support document.currentScript (nor extensions with protocol), so skip test.
|
||||
// IE does not support `document.currentScript` (nor extensions with protocol), so skip test.
|
||||
if (msie) return;
|
||||
|
||||
var src = 'resource://something';
|
||||
// Fake a minimal document object (the actual document.currentScript is readonly).
|
||||
|
||||
Reference in New Issue
Block a user