feat(security): do not bootstrap from unknown schemes with a different origin

Author: Rob--W

src/Angular.js

@@ -1485,12 +1485,14 @@ function allowAutoBootstrap(document) {
   var src = document.currentScript.getAttribute('src');
   var link = document.createElement('a');
   link.href = src;
-  var scriptProtocol = link.protocol;
-  var docLoadProtocol = document.location.protocol;
-  if (docLoadProtocol === scriptProtocol) {
+  if (document.location.protocol === link.protocol && document.location.host === link.host) {
+    // Same-origin resources are always allowed, even for non-whitelisted schemes.
     return true;
   }
-  switch (scriptProtocol) {
+  // Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web.
+  // This is to prevent angular.js bundled with browser extensions from being used to bypass the
+  // content security policy in web pages and other browser extensions.
+  switch (link.protocol) {
     case 'http:':
     case 'https:':
     case 'ftp:':

test/AngularSpec.js

@@ -1683,6 +1683,20 @@ describe('angular', function() {
       dealoc(appElement);
     });
 
+    it('should bootstrap from an extension into an extension document for same-origin documents only', function() {
+      var src = 'resource://something';
+      // Fake a minimal document object (the actual document.currentScript is readonly).
+      var fakeDoc = {
+        currentScript: { getAttribute: function() { return src; } },
+        location: {protocol: 'resource:', origin: 'resource://something'},
+        createElement: document.createElement.bind(document)
+      };
+      expect(allowAutoBootstrap(fakeDoc)).toBe(true);
+
+      src = 'resource://something-else';
+      expect(allowAutoBootstrap(fakeDoc)).toBe(false);
+    });
+
     it('should not bootstrap from an extension into a non-extension document', function() {
       var src = 'resource://something';
       // Fake a minimal document object (the actual document.currentScript is readonly).