Skip to content
This repository was archived by the owner on Apr 12, 2024. It is now read-only.

Commit 41aa912

Browse files
gkalpakgkalpak
committed
fix(angularInit): allow auto-bootstraping from inline script
Some browsers (e.g. Safari 9.x, PhantomJS) do not set `link.origin/protocol` correctly, when setting `link.href` to `null`, which prevented auto-bootstraping Angular from scripts without a `src` attribute (i.e. inline scripts). Inline scripts are on the same origin as the loading page, so auto-bootstraping should be allowed. Fixes #15567 Closes #15571
1 parent b4581e3 commit 41aa912

File tree

2 files changed

+29
-4
lines changed

2 files changed

+29
-4
lines changed

src/Angular.js

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1446,12 +1446,16 @@ function getNgAttribute(element, ngAttr) {
14461446
}
14471447

14481448
function allowAutoBootstrap(document) {
1449-
if (!document.currentScript) {
1449+
var script = document.currentScript;
1450+
var src = script && script.getAttribute('src');
1451+
1452+
if (!src) {
14501453
return true;
14511454
}
1452-
var src = document.currentScript.getAttribute('src');
1455+
14531456
var link = document.createElement('a');
14541457
link.href = src;
1458+
14551459
if (document.location.origin === link.origin) {
14561460
// Same-origin resources are always allowed, even for non-whitelisted schemes.
14571461
return true;

test/AngularSpec.js

Lines changed: 23 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1698,7 +1698,8 @@ describe('angular', function() {
16981698
});
16991699

17001700
it('should bootstrap from an extension into an extension document for same-origin documents only', function() {
1701-
if (msie) return; // IE does not support document.currentScript (nor extensions with protocol), so skip test.
1701+
// IE does not support `document.currentScript` (nor extensions with protocol), so skip test.
1702+
if (msie) return;
17021703

17031704
// Extension URLs are browser-specific, so we must choose a scheme that is supported by the browser to make
17041705
// sure that the URL is properly parsed.
@@ -1729,8 +1730,28 @@ describe('angular', function() {
17291730
expect(allowAutoBootstrap(fakeDoc)).toBe(false);
17301731
});
17311732

1733+
it('should bootstrap from a script with an empty or missing `src` attribute', function() {
1734+
// IE does not support `document.currentScript` (nor extensions with protocol), so skip test.
1735+
if (msie) return;
1736+
1737+
// Fake a minimal document object (the actual document.currentScript is readonly).
1738+
var src;
1739+
var fakeDoc = {
1740+
createElement: document.createElement.bind(document),
1741+
currentScript: {getAttribute: function() { return src; }},
1742+
location: {origin: 'some-value', protocol: 'http:'}
1743+
};
1744+
1745+
src = null;
1746+
expect(allowAutoBootstrap(fakeDoc)).toBe(true);
1747+
1748+
src = '';
1749+
expect(allowAutoBootstrap(fakeDoc)).toBe(true);
1750+
});
1751+
17321752
it('should not bootstrap from an extension into a non-extension document', function() {
1733-
if (msie) return; // IE does not support document.currentScript (nor extensions with protocol), so skip test.
1753+
// IE does not support `document.currentScript` (nor extensions with protocol), so skip test.
1754+
if (msie) return;
17341755

17351756
var src = 'resource://something';
17361757
// Fake a minimal document object (the actual document.currentScript is readonly).

0 commit comments

Comments
 (0)