From 02da1ab44a9cfcf2433636f6a7cffbca7abdff16 Mon Sep 17 00:00:00 2001
From: Martin Probst <martin@probst.io>
Date: Wed, 23 Nov 2016 15:15:42 -0800
Subject: [PATCH] feat(security): explicitly whitelist URL schemes for
 bootstrap.

Many browsers have some extension URL scheme. It is unclear how many of
those have the security issue of allowing parser-inserted loads of
extension URLs.

To be conservative, this code whitelists the URL schemes that are known
to be subject to CSP, i.e. the ones that are expected and safe.
---
 src/Angular.js | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/Angular.js b/src/Angular.js
index 48cdb7b2c138..18672cc99e41 100644
--- a/src/Angular.js
+++ b/src/Angular.js
@@ -1455,12 +1455,20 @@ function allowAutoBootstrap(document) {
   link.href = src;
   var scriptProtocol = link.protocol;
   var docLoadProtocol = document.location.protocol;
-  if ((scriptProtocol === 'resource:' ||
-       scriptProtocol === 'chrome-extension:') &&
-      docLoadProtocol !== scriptProtocol) {
-    return false;
+  if (docLoadProtocol === scriptProtocol) {
+    return true;
+  }
+  switch(scriptProtocol) {
+    case 'http:':
+    case 'https:':
+    case 'ftp:':
+    case 'blob:':
+    case 'file:':
+    case 'data:':
+      return true;
+    default:
+      return false;
   }
-  return true;
 }
 
 // Cached as it has to run during loading so that document.currentScript is available.