Skip to content
This repository was archived by the owner on Apr 12, 2024. It is now read-only.

Commit a649758

Browse files
petebacondarwinpetebacondarwin
committed
fix(Angular): do not auto bootstrap if the script source is bad and inside SVG
1 parent c357b1a commit a649758

File tree

2 files changed

+42
-21
lines changed

2 files changed

+42
-21
lines changed

src/Angular.js

+29-21
Original file line numberDiff line numberDiff line change
@@ -1532,33 +1532,41 @@ function getNgAttribute(element, ngAttr) {
15321532

15331533
function allowAutoBootstrap(document) {
15341534
var script = document.currentScript;
1535-
var src = script && script.getAttribute('src');
15361535

1537-
if (!src) {
1536+
if (!script) {
1537+
// IE does not have `document.currentScript`
15381538
return true;
15391539
}
15401540

1541-
var link = document.createElement('a');
1542-
link.href = src;
1541+
var srcs = [script.getAttribute('src'), script.getAttribute('href'), script.getAttribute('xlink:href')];
15431542

1544-
if (document.location.origin === link.origin) {
1545-
// Same-origin resources are always allowed, even for non-whitelisted schemes.
1546-
return true;
1547-
}
1548-
// Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web.
1549-
// This is to prevent angular.js bundled with browser extensions from being used to bypass the
1550-
// content security policy in web pages and other browser extensions.
1551-
switch (link.protocol) {
1552-
case 'http:':
1553-
case 'https:':
1554-
case 'ftp:':
1555-
case 'blob:':
1556-
case 'file:':
1557-
case 'data:':
1543+
return srcs.every(function(src) {
1544+
if (!src) {
15581545
return true;
1559-
default:
1560-
return false;
1561-
}
1546+
}
1547+
1548+
var link = document.createElement('a');
1549+
link.href = src;
1550+
1551+
if (document.location.origin === link.origin) {
1552+
// Same-origin resources are always allowed, even for non-whitelisted schemes.
1553+
return true;
1554+
}
1555+
// Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web.
1556+
// This is to prevent angular.js bundled with browser extensions from being used to bypass the
1557+
// content security policy in web pages and other browser extensions.
1558+
switch (link.protocol) {
1559+
case 'http:':
1560+
case 'https:':
1561+
case 'ftp:':
1562+
case 'blob:':
1563+
case 'file:':
1564+
case 'data:':
1565+
return true;
1566+
default:
1567+
return false;
1568+
}
1569+
});
15621570
}
15631571

15641572
// Cached as it has to run during loading so that document.currentScript is available.

test/AngularSpec.js

+13
Original file line numberDiff line numberDiff line change
@@ -1771,6 +1771,19 @@ describe('angular', function() {
17711771
expect(allowAutoBootstrap(createFakeDoc({src: 'file://whatever'}))).toBe(true);
17721772
});
17731773

1774+
it('should not bootstrap from an extension into a non-extension document, via SVG script', function() {
1775+
1776+
// SVG script tags don't use the `src` attribute to load their source.
1777+
// Instead they use `href` or the deprecated `xlink:href` attributes.
1778+
1779+
expect(allowAutoBootstrap(createFakeDoc({href: 'resource://something'}))).toBe(false);
1780+
expect(allowAutoBootstrap(createFakeDoc({'xlink:href': 'resource://something'}))).toBe(false);
1781+
1782+
expect(allowAutoBootstrap(createFakeDoc({src: 'http://something', href: 'resource://something'}))).toBe(false);
1783+
expect(allowAutoBootstrap(createFakeDoc({href: 'http://something', 'xlink:href': 'resource://something'}))).toBe(false);
1784+
expect(allowAutoBootstrap(createFakeDoc({src: 'resource://something', href: 'http://something', 'xlink:href': 'http://something'}))).toBe(false);
1785+
});
1786+
17741787
it('should not bootstrap if bootstrapping is disabled', function() {
17751788
isAutoBootstrapAllowed = false;
17761789
angularInit(jqLite('<div ng-app></div>')[0], bootstrapSpy);

0 commit comments

Comments
 (0)