honeymoose
/
angular-cn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(security): categorize <track src> as a regular URL. 

After security review, it turns out we were too paranoid about <track src>. Its content is not actually active or dangerous.

Fixes #10089.
This commit is contained in:
Martin Probst 2016-07-20 10:28:13 -07:00
parent 76b8a49bfb
commit a441b5b8fe
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
modules/@angular/compiler/src/schema/dom_security_schema.ts
View File

@ -39,7 +39,7 @@ registerContext(SecurityContext.URL, [
'*|formAction', 'area|href', 'area|ping', 'audio|src', 'a|href', '*|formAction', 'area|href', 'area|ping', 'audio|src', 'a|href',
'a|ping', 'blockquote|cite', 'body|background', 'del|cite', 'form|action', 'a|ping', 'blockquote|cite', 'body|background', 'del|cite', 'form|action',
'img|src', 'img|srcset', 'input|src', 'ins|cite', 'q|cite', 'img|src', 'img|srcset', 'input|src', 'ins|cite', 'q|cite',
'source|src', 'source|srcset', 'video|poster', 'video|src', 'source|src', 'source|srcset', 'track|src', 'video|poster', 'video|src',
]); ]);
registerContext(SecurityContext.RESOURCE_URL, [ registerContext(SecurityContext.RESOURCE_URL, [
'applet|code', 'applet|code',
@ -55,5 +55,4 @@ registerContext(SecurityContext.RESOURCE_URL, [
'object|codebase', 'object|codebase',
'object|data', 'object|data',
'script|src', 'script|src',
'track|src',
]); ]);