Skip to content
This repository was archived by the owner on Apr 12, 2024. It is now read-only.

Commit 7d8ca1b

Browse files
petebacondarwinpetebacondarwin
committed
fix(Angular): do not auto bootstrap if the script source is bad and inside SVG
1 parent 56bfad1 commit 7d8ca1b

File tree

2 files changed

+42
-21
lines changed

2 files changed

+42
-21
lines changed

src/Angular.js

+29-21
Original file line numberDiff line numberDiff line change
@@ -1447,33 +1447,41 @@ function getNgAttribute(element, ngAttr) {
14471447

14481448
function allowAutoBootstrap(document) {
14491449
var script = document.currentScript;
1450-
var src = script && script.getAttribute('src');
14511450

1452-
if (!src) {
1451+
if (!script) {
1452+
// IE does not have `document.currentScript`
14531453
return true;
14541454
}
14551455

1456-
var link = document.createElement('a');
1457-
link.href = src;
1456+
var srcs = [script.getAttribute('src'), script.getAttribute('href'), script.getAttribute('xlink:href')];
14581457

1459-
if (document.location.origin === link.origin) {
1460-
// Same-origin resources are always allowed, even for non-whitelisted schemes.
1461-
return true;
1462-
}
1463-
// Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web.
1464-
// This is to prevent angular.js bundled with browser extensions from being used to bypass the
1465-
// content security policy in web pages and other browser extensions.
1466-
switch (link.protocol) {
1467-
case 'http:':
1468-
case 'https:':
1469-
case 'ftp:':
1470-
case 'blob:':
1471-
case 'file:':
1472-
case 'data:':
1458+
return srcs.every(function(src) {
1459+
if (!src) {
14731460
return true;
1474-
default:
1475-
return false;
1476-
}
1461+
}
1462+
1463+
var link = document.createElement('a');
1464+
link.href = src;
1465+
1466+
if (document.location.origin === link.origin) {
1467+
// Same-origin resources are always allowed, even for non-whitelisted schemes.
1468+
return true;
1469+
}
1470+
// Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web.
1471+
// This is to prevent angular.js bundled with browser extensions from being used to bypass the
1472+
// content security policy in web pages and other browser extensions.
1473+
switch (link.protocol) {
1474+
case 'http:':
1475+
case 'https:':
1476+
case 'ftp:':
1477+
case 'blob:':
1478+
case 'file:':
1479+
case 'data:':
1480+
return true;
1481+
default:
1482+
return false;
1483+
}
1484+
});
14771485
}
14781486

14791487
// Cached as it has to run during loading so that document.currentScript is available.

test/AngularSpec.js

+13
Original file line numberDiff line numberDiff line change
@@ -1760,6 +1760,19 @@ describe('angular', function() {
17601760
expect(allowAutoBootstrap(createFakeDoc({src: 'file://whatever'}))).toBe(true);
17611761
});
17621762

1763+
it('should not bootstrap from an extension into a non-extension document, via SVG script', function() {
1764+
1765+
// SVG script tags don't use the `src` attribute to load their source.
1766+
// Instead they use `href` or the deprecated `xlink:href` attributes.
1767+
1768+
expect(allowAutoBootstrap(createFakeDoc({href: 'resource://something'}))).toBe(false);
1769+
expect(allowAutoBootstrap(createFakeDoc({'xlink:href': 'resource://something'}))).toBe(false);
1770+
1771+
expect(allowAutoBootstrap(createFakeDoc({src: 'http://something', href: 'resource://something'}))).toBe(false);
1772+
expect(allowAutoBootstrap(createFakeDoc({href: 'http://something', 'xlink:href': 'resource://something'}))).toBe(false);
1773+
expect(allowAutoBootstrap(createFakeDoc({src: 'resource://something', href: 'http://something', 'xlink:href': 'http://something'}))).toBe(false);
1774+
});
1775+
17631776
it('should not bootstrap if bootstrapping is disabled', function() {
17641777
isAutoBootstrapAllowed = false;
17651778
angularInit(jqLite('<div ng-app></div>')[0], bootstrapSpy);

0 commit comments

Comments
 (0)