3f55aa609f
This introduces the `BrowserModule` to be used for long form
bootstrap and offline compile bootstrap:
```
@AppModule({
modules: [BrowserModule],
precompile: [MainComponent],
providers: […], // additional providers
directives: […], // additional platform directives
pipes: […] // additional platform pipes
})
class MyModule {
constructor(appRef: ApplicationRef) {
appRef.bootstrap(MainComponent);
}
}
// offline compile
import {bootstrapModuleFactory} from ‘@angular/platform-browser’;
bootstrapModuleFactory(MyModuleNgFactory);
// runtime compile long form
import {bootstrapModule} from ‘@angular/platform-browser-dynamic’;
bootstrapModule(MyModule);
```
The short form, `bootstrap(...)`, can now creates a module on the fly,
given `directives`, `pipes, `providers`, `precompile` and `modules`
properties.
Related changes:
- make `SanitizationService`, `SecurityContext` public in `@angular/core` so that the offline compiler can resolve the token
- move `AnimationDriver` to `platform-browser` and make it
public so that the offline compiler can resolve the token
BREAKING CHANGES:
- short form bootstrap does no longer allow
to inject compiler internals (i.e. everything
from `@angular/compiler). Inject `Compiler` instead.
To provide custom providers for the compiler,
create a custom compiler via `browserCompiler({providers: [...]})`
and pass that into the `bootstrap` method.
60 lines
2.2 KiB
TypeScript
60 lines
2.2 KiB
TypeScript
/**
|
|
* @license
|
|
* Copyright Google Inc. All Rights Reserved.
|
|
*
|
|
* Use of this source code is governed by an MIT-style license that can be
|
|
* found in the LICENSE file at https://angular.io/license
|
|
*/
|
|
|
|
import {SecurityContext} from '@angular/core';
|
|
|
|
// =================================================================================================
|
|
// =================================================================================================
|
|
// =========== S T O P - S T O P - S T O P - S T O P - S T O P - S T O P ===========
|
|
// =================================================================================================
|
|
// =================================================================================================
|
|
//
|
|
// DO NOT EDIT THIS LIST OF SECURITY SENSITIVE PROPERTIES WITHOUT A SECURITY REVIEW!
|
|
// Reach out to mprobst for details.
|
|
//
|
|
// =================================================================================================
|
|
|
|
/** Map from tagName|propertyName SecurityContext. Properties applying to all tags use '*'. */
|
|
export const SECURITY_SCHEMA: {[k: string]: SecurityContext} = {};
|
|
|
|
function registerContext(ctx: SecurityContext, specs: string[]) {
|
|
for (let spec of specs) SECURITY_SCHEMA[spec.toLowerCase()] = ctx;
|
|
}
|
|
|
|
// Case is insignificant below, all element and attribute names are lower-cased for lookup.
|
|
|
|
registerContext(SecurityContext.HTML, [
|
|
'iframe|srcdoc',
|
|
'*|innerHTML',
|
|
'*|outerHTML',
|
|
]);
|
|
registerContext(SecurityContext.STYLE, ['*|style']);
|
|
// NB: no SCRIPT contexts here, they are never allowed due to the parser stripping them.
|
|
registerContext(SecurityContext.URL, [
|
|
'*|formAction', 'area|href', 'area|ping', 'audio|src', 'a|href',
|
|
'a|ping', 'blockquote|cite', 'body|background', 'del|cite', 'form|action',
|
|
'img|src', 'img|srcset', 'input|src', 'ins|cite', 'q|cite',
|
|
'source|src', 'source|srcset', 'video|poster', 'video|src',
|
|
]);
|
|
registerContext(SecurityContext.RESOURCE_URL, [
|
|
'applet|code',
|
|
'applet|codebase',
|
|
'base|href',
|
|
'embed|src',
|
|
'frame|src',
|
|
'head|profile',
|
|
'html|manifest',
|
|
'iframe|src',
|
|
'link|href',
|
|
'media|src',
|
|
'object|codebase',
|
|
'object|data',
|
|
'script|src',
|
|
'track|src',
|
|
]);
|