-
Notifications
You must be signed in to change notification settings - Fork 27.5k
fix(security): do not auto-bootstrap when loaded from an extension. #15346
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1444,6 +1444,26 @@ function getNgAttribute(element, ngAttr) { | |
return null; | ||
} | ||
|
||
function allowAutoBootstrap(document) { | ||
if (!document.currentScript) { | ||
return true; | ||
} | ||
var src = document.currentScript.getAttribute('src'); | ||
var link = document.createElement('a'); | ||
link.href = src; | ||
var scriptProtocol = link.protocol; | ||
var docLoadProtocol = document.location.protocol; | ||
if ((scriptProtocol === 'resource:' || | ||
scriptProtocol === 'chrome-extension:') && | ||
docLoadProtocol !== scriptProtocol) { | ||
return false; | ||
} | ||
return true; | ||
} | ||
|
||
// Cached as it has to run during loading so that document.currentScript is available. | ||
var isAutoBootstrapAllowed = allowAutoBootstrap(window.document); | ||
|
||
/** | ||
* @ngdoc directive | ||
* @name ngApp | ||
|
@@ -1602,6 +1622,11 @@ function angularInit(element, bootstrap) { | |
} | ||
}); | ||
if (appElement) { | ||
if (!isAutoBootstrapAllowed) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This check could be moved at the top (unless we expect anyone to load angular via There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I didn't do this intentionally - otherwise you'll get an error message even if you intend to manually bootstrap by calling There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah, I thought it might be intentional. I don't expect anyone to be loading angular over Hm...so, if it is a supported usecase (loading angular.js over There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Loading angular.js over However, for the rare case where a web page really actually wants to load via A secondary effect is that the console spam only triggers if the user actually has an So I don't think we need to document anything. Most users will never notice this. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
This should be documented, assuming that most users won't notice it means that when someone does notice it, there is no help available on how to go about making it work. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @mmccallum - feel free to send in a PR. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @mmccallum FWIW, when auto bootstrap gets disabled, Angular prints out a pretty clear message in the console. |
||
window.console.error('Angular: disabling automatic bootstrap. <script> protocol indicates ' + | ||
'an extension, document.location.href does not match.'); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I feel that this message could be clearer or that it should link to a webpage/issue that explains what is happening? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do you have a suggestion? This should really only happen when somebody tries to exploit the security hole, so I'm not too worried about usability here. I don't think we need docs or a website. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. But it shouldn't block merging this. |
||
return; | ||
} | ||
config.strictDi = getNgAttribute(appElement, 'strict-di') !== null; | ||
bootstrap(appElement, module ? [module] : [], config); | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So we do allow auto bootstrap if the protocol of the document matches that of the script?
Why is that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because that's the intended use case - an extension that has a page (within the extension) that loads angular, and contains
ng-app
. We could disable that, but if we support auto bootstrap, I think we should support it within extensions, shouldn't we?