track changes to base URL and other refactorings

Author: adob

src/.eslintrc.json

@@ -155,6 +155,7 @@
     /* urlUtils.js */
     "urlResolve": false,
     "urlIsSameOrigin": false,
+    "urlIsSameOriginAsBaseUrl": false,
 
     /* ng/controller.js */
     "identifierForController": false,

src/ng/urlUtils.js

@@ -8,7 +8,7 @@
 // service.
 var urlParsingNode = window.document.createElement('a');
 var originUrl = urlResolve(window.location.href);
-var baseUrl;
+var baseUrlParsingNode;
 
 
 /**
@@ -44,16 +44,16 @@ var baseUrl;
  * @description Normalizes and parses a URL.
  * @returns {object} Returns the normalized URL as a dictionary.
  *
- *   | member name   | Description    |
- *   |---------------|----------------|
+ *   | member name   | Description                                                            |
+ *   |---------------|------------------------------------------------------------------------|
  *   | href          | A normalized version of the provided URL if it was not an absolute URL |
- *   | protocol      | The protocol including the trailing colon                              |
+ *   | protocol      | The protocol without the trailing colon                                |
  *   | host          | The host and port (if the port is non-default) of the normalizedUrl    |
  *   | search        | The search params, minus the question mark                             |
- *   | hash          | The hash string, minus the hash symbol
- *   | hostname      | The hostname
- *   | port          | The port, without ":"
- *   | pathname      | The pathname, beginning with "/"
+ *   | hash          | The hash string, minus the hash symbol                                 |
+ *   | hostname      | The hostname                                                           |
+ *   | port          | The port, without ":"                                                  |
+ *   | pathname      | The pathname, beginning with "/"                                       |
  *
  */
 function urlResolve(url) {
@@ -68,19 +68,7 @@ function urlResolve(url) {
 
   urlParsingNode.setAttribute('href', href);
 
-  // urlParsingNode provides the UrlUtils interface - http://url.spec.whatwg.org/#urlutils
-  return {
-    href: urlParsingNode.href,
-    protocol: urlParsingNode.protocol ? urlParsingNode.protocol.replace(/:$/, '') : '',
-    host: urlParsingNode.host,
-    search: urlParsingNode.search ? urlParsingNode.search.replace(/^\?/, '') : '',
-    hash: urlParsingNode.hash ? urlParsingNode.hash.replace(/^#/, '') : '',
-    hostname: urlParsingNode.hostname,
-    port: urlParsingNode.port,
-    pathname: (urlParsingNode.pathname.charAt(0) === '/')
-      ? urlParsingNode.pathname
-      : '/' + urlParsingNode.pathname
-  };
+  return anchorElementToObject(urlParsingNode);
 }
 
 /**
@@ -92,12 +80,11 @@ function urlResolve(url) {
  */
 function urlIsSameOrigin(requestUrl) {
   var parsed = (isString(requestUrl)) ? urlResolve(requestUrl) : requestUrl;
-  return (parsed.protocol === originUrl.protocol &&
-          parsed.host === originUrl.host);
+  return urlsAreSameOrigin(parsed, originUrl);
 }
 
 /**
- * Parse a request URL and determine whether it is same-origin as the document base URL.
+ * Parse a request URL and determine whether it is same-origin as the current document base URL.
  *
  * Note: The base URL is usually the same the document location (`location.href`) but can
  * overriden by using the `<base>` tag.
@@ -107,10 +94,55 @@ function urlIsSameOrigin(requestUrl) {
  * @returns {boolean} Whether the URL is same-origin as the document base URL.
  */
 function urlIsSameOriginAsBaseUrl(requestUrl) {
-  if (!baseUrl) {
-    baseUrl = urlResolve('.');
+  if (!baseUrlParsingNode) {
+    baseUrlParsingNode = window.document.createElement('a');
+    baseUrlParsingNode.href = '.';
+
+    if (msie) {
+      // Work-around for IE bug described in Implementation Notes. The fix in urlResolve() is not
+      // suitable here because we need to track changes to the base URL.
+      baseUrlParsingNode = baseUrlParsingNode.cloneNode(false);
+    }
   }
   var parsed = (isString(requestUrl)) ? urlResolve(requestUrl) : requestUrl;
-  return (parsed.protocol === baseUrl.protocol &&
-          parsed.host === baseUrl.host);
+  return urlsAreSameOrigin(parsed, anchorElementToObject(baseUrlParsingNode));
+}
+
+/**
+ * Determines if two URLs share the same origin.
+ *
+ * @param {object} url1 First URL to compare. Must be a normalized URL in the form of a
+ *     dictionary object returned by `urlResolve()`.
+ * @param {object} url2 Second URL to compare. Must be a normalized URL in the form of a
+ *     dictionary object returned by `urlResolve()`.
+ * @return {boolean} True if both URLs have the same origin, and false otherwise.
+ */
+function urlsAreSameOrigin(url1, url2) {
+  // IE sometimes includes a port in the 'host' property, even if it is the default 80 port so
+  // we check hostname and port separately.
+  return url1.protocol === url2.protocol &&
+      url1.hostname === url2.hostname &&
+          url1.port === url2.port;
+}
+
+/**
+ * Converts properties in the given anchor element into a dictionary object as described in the
+ * documentation for `urlResolve()`.
+ * @param {HTMLAnchorElement} elem
+ * @returns {object}
+ */
+function anchorElementToObject(elem) {
+   // elem provides the UrlUtils interface - http://url.spec.whatwg.org/#urlutils
+   return {
+    href: elem.href,
+    protocol: elem.protocol ? elem.protocol.replace(/:$/, '') : '',
+    host: elem.host,
+    search: elem.search ? elem.search.replace(/^\?/, '') : '',
+    hash: elem.hash ? elem.hash.replace(/^#/, '') : '',
+    hostname: elem.hostname,
+    port: elem.port,
+    pathname: (elem.pathname.charAt(0) === '/')
+      ? elem.pathname
+      : '/' + elem.pathname
+  };
 }

test/e2e/fixtures/base_tag/index.html

@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html ng-app="test">
   <head>
-    <base href="http://www.example.com">
+    <base href="http://www.example.com/">
     <script src="http://localhost:8000/build/angular.js"></script>
     <script src="http://localhost:8000/e2e/fixtures/base_tag/script.js"></script>
   </head>

test/e2e/fixtures/base_tag/script.js

@@ -1,12 +1,14 @@
-angular
-  .module('test', [])
-  .run(function($sce) {
+'use strict';
+
+angular.
+  module('test', []).
+  run(function($sce) {
     window.isTrustedUrl = function(url) {
       try {
         $sce.getTrustedResourceUrl(url);
       } catch (e) {
         return false;
       }
       return true;
-    }
+    };
   });

test/e2e/tests/base_tag.spec.js

@@ -1,17 +1,34 @@
 'use strict';
 
-describe('base_tag', function() {
-  it('SCE self URL policy should correctly handle base tags', function() {
-    loadFixture('base_tag');
-
-    var url = browser.getLocationAbsUrl();
+describe('SCE URL policy when base tags are present', function() {
+  function checkUrl(url, allowed) {
     var urlIsTrusted = browser.executeScript('return isTrustedUrl(arguments[0])', url);
-    expect(urlIsTrusted).toBe(true);  // sanity check
+    expect(urlIsTrusted).toBe(allowed);
+  }
+  loadFixture('base_tag');
+
+  // sanity checks
+  it('allows the page URL (location.href)', function() {
+    checkUrl(browser.getLocationAbsUrl(), true);
+  });
+  it('blocks off-origin URLs', function() {
+    //browser.pause();
+    checkUrl('http://evil.com', false);
+  });
 
-    var urlIsTrusted = browser.executeScript('return isTrustedUrl("//evil.com/")');
-    expect(urlIsTrusted).toBe(false);  // sanity check
+  it('allows relative URLs ("/relative")', function() {
+    //browser.pause();
+    checkUrl('/relative', true);
+  });
+
+  it('allows absolute URLs from the base origin', function() {
+    checkUrl('http://www.example.com/path/to/file.html', true);
+  });
 
-    urlIsTrusted = browser.executeScript('return isTrustedUrl("/relative")');
-    expect(urlIsTrusted).toBe(true);
+  it('tracks changes to the base URL', function() {
+    browser.executeScript(
+        'document.getElementsByTagName("base")[0].href = "http://xxx.example.com/";');
+    //browser.pause();
+    checkUrl('http://xxx.example.com/path/to/file.html', true);
   });
 });