* Document `currentUrlTree`, `browserUrlTree`, and `rawUrlTree`
* Add a couple `TODO` comments to investigate changes based on understanding
PR Close#43391
tsec is a TypeScript compiler wrapper for restricting use of
security-sensitive DOM APIs, in particular those that could lead to XSS
or Trusted Types violations. Add it as a linter to aio to prevent future
Trusted Types regressions on angular.io.
Also introduces security_exemptions.json, which lists the known,
security-reviewed tsec security violations. New entries can only be
added to this file after a security review, in particular making sure
that the corresponding code does not cause XSS vulnerabilities or
Trusted Types violations.
PR Close#42800
Configure Firebase to serve a CSP header on angular.io that enables
Trusted Types in report-only mode. This causes any Trusted Types
violations that may occur as users browser angular.io to generate a CSP
report that is sent to csp.withgoogle.com, where it is processed by
Google's CSP report collector.
This is a non-breaking change that allows us to evaluate whether
angular.io is fully compatible with Trusted Types, at which point we can
start enforcing Trusted Types.
PR Close#42800
Configure angular.json to serve a CSP header that enabled Trusted Types
in enforcement mode, both in e2e tests and when running the local
development server. This should help prevent regressions related to
Trusted Types in the angular.io app.
PR Close#42800
Fix a Trusted Types violation in ServiceWorkerModule that occurs when
initializing the service worker from a string URL, by passing a
TrustedScriptURL instead.
PR Close#42800
Change SvgIconInfo.svgSource to be a TrustedHTML and update all its
users accordingly. Also introduce the svg template tag function for
building TrustedHTML from constant SVG sources.
PR Close#42800
Change the PrettyPrinter interface to accept a TrustedHTML and patch
prettify.js so that it makes use of that value without modification.
Update all users of the service to produce, and pass in a TrustedHTML.
PR Close#42800
Also introduce a dependency on the Trusted Types type definitions and a
Trusted Types polyfill, safevalues. Create a security module for common,
security-reviewed transformations into Trusted Types.
PR Close#42800
The Google Analytics snippet loads its runtime by dynamically creating a
script element and assigning a URL to its src attribute. This causes a
Trusted Types violation.
To fix this, create an inline Trusted Types policy called 'aio#analytics'
to bless the script URL, which is a trusted constant.
PR Close#42800
This restores the `finalize` function to directly call
`resetUrlToCurrentUrlTree`, as it was before efb440eb2f.
This allows us to simplify the `restoreHistory` function because it no
longer needs to handle the call from `finalize` where it should not
reset the internal router state.
PR Close#43382
The file we are redirecting `/guide/bazel` to was moved from
`bazel/src/schematics/README.md` to `bazel/docs/BAZEL_SCHEMATICS.md` in
commit 71b8c9ab29.
Update the Firebase configuration to use the new path in the redirect
URL.
PR Close#43376
Support for IE11 has been dropped in v13. IE11 was the last browser officially support by Angular that required ES5 code. As a result of its removal, differential loading is no longer required and the Angular CLI has removed all differential loading functional for v13. This commit removes all references to differential loading from the documentation.
PR Close#43060
Support for IE 11 was deprecated in v12 and in v13 the support is fully dropped. This commit updates the browser compatibility docs and removes IE 11 as a supported browser.
PR Close#43034
With the merging of #41730, our tests now more closely emulate real
browser behavior. This means that we can make changes to the `Router` which depend
on actual browser behavior rather than incorrectly mocked test behavior.
This change updates the logic in the `Router` to only trigger
navigations on `popstate` events. Since our `SpyLocation` now triggers
the `popstate` event correctly on `simulateHashChange`, `back`,
`forward`, and `simulatePopState`, we are able to rely on this being
true for all of these navigations in tests when using `SpyLocation` (the
default for `RouterTestingModule`).
In addition, this behavior relies on documented browser behavior: The
`popstate` event happens due to browser transitions as a result of user
triggered "back" button or otherwise.
https://developer.mozilla.org/en-US/docs/Web/API/Window/popstate_event#when_popstate_is_sent
In addition, this change chooses `popstate` over `hashchange` because it
is the event that is already being used for navigations since the
documented behavior of browsers is that `popstate` happens before
`hashchange`.
fixes#41782
PR Close#43328
With this change we change the logic to locate the tsconfig files. The public API to locate, read and parse the workspace configuration should be use instead of the custom implemented logic.
The custom implemented logic depended on methods which have long been deprecated and are not removed in version 13 of the Angular CLI. This was not caught during development/UT because this repo is using outdated Angular Tooling packages.
This change also updates a number of spec files which previously creating an invalid Angular workspace configuration file.
Closes#43334
PR Close#43343
The TODO comment suggesting to verify that the target element to
scroll to needs to be an anchor does not longer seems under consideration
so it can be removed
resolves#43348
PR Close#43378
Windows disallows removal of files which are currently being used.
i.e. have active handles. This currently can result in permission denied
failures on the Windows CI jobs where `yarn bazel` resolves to the local
bazelisk installation that can be unlinked by `yarn_install` repository
fetching as part of the Bazel invocation, resulting in errors like:
```
ERROR: An error occurred during the fetch of repository 'npm':
yarn_install failed: $ node tools/yarn/check-yarn.js
...
[4/5] Linking dependencies...
info If you think this is a bug, please open a bug report with the information provided in "C:\\users\\circleci\\ng\\yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
(warning " > tsickle@0.34.3" has incorrect peer dependency "typescript@~3.3.1".
error An unexpected error occurred: "EPERM: operation not permitted, unlink 'C:\\users\\circleci\\ng\\node_modules\\@bazel\\bazel-win32_x64\\bazel-0.27.0-windows-x86_64.exe'".
Process stalled
Active handles:
- Socket
- Socket
- Socket
)
```
We workarund this in order to improve CI stability in case the node modules are
being invalidated by Bazel, or through Yarns integrity checking.
PR Close#43373
Checks the `.ng-dev` tool configuration in CI, compared
to doing it locally when the caretaker intends to perform
a merge and then realizes the config is broken.
PR Close#43322
Updates the overall Bazel setup to their latest versions:
* rules_nodejs is updated to stable 4.0.0
* rules_sass is updated to the latest version containing a fix
for the `@bazel/worker` bug we had a workaround for.
* dev-infra-private is updated to avoid duplicated dependencies.
We should use a version that also relies on stable rules_nodejs v4.
Note: We are not set on how dependencies for the `bazel/` folder
of the dev-infra package are managed, but we removed `@types/`
packages from the transitive dependencies, so we now need to
manually include `@types/uuid` for building the benchmark driver
utilties. We need to revisit this in the future.
PR Close#43322
Exposes implementation from #38884 as a public opt-in option.
From that commit:
> We can’t determine whether the user actually meant the back or
> the forward using the popstate event (triggered by a browser
> back/forward)
> so we instead need to store information on the state and compute the
> distance the user is traveling withing the browser history.
> So by using the History#go method,
> we can bring the user back to the page where he is supposed to be after
> performing the action.
Resolves#13586
PR Close#43289
* Do not emit url pop on Location.go
* Emit a `popstate` event before each `hashchange` to have the same
behavior of the browser.
* Track the url change in the internal history when calling `simulateHashChange`
The changes to the router tests reflect the goals of the test.
Generally when `Location.go` is used to trigger navigations, it is only
relevant for `HashLocationStrategy` and verifying that the Router picks
up changes from manual URL changes. To do this, we convert those calls
to `simulateHashChange` instead.
Manual URL bar changes to the path when not using the `HashLocationStrategy`
would otherwise trigger a full page refresh so they aren't relevant to
these test scenarios which assert correct behavior during the lifetime
of the router.
[Reference for no `popstate` on `pushState`/`replaceState`](https://developer.mozilla.org/en-US/docs/Web/API/Window/popstate_event)
> Note that just calling history.pushState() or history.replaceState() won't
trigger a popstate event. The popstate event will be triggered by doing a browser
action such as a click on the back or forward button (or calling history.back()
or history.forward() in JavaScript).
[Reference for `popstate` before `hashChange`](https://developer.mozilla.org/en-US/docs/Web/API/Window/popstate_event#when_popstate_is_sent)
> When the transition occurs, either due to the user triggering the browser's
> "Back" button or otherwise, the popstate event is near the end of the process to transition to the new location
...
> 12. If the value of state changed, the popstate event is sent to the document.
> 13. Any persisted user state is restored, if the browser chooses to do so.
> 14. If the original and new entry's shared the same document, but had different fragments in their URLs, send the hashchange event to the window.
BREAKING CHANGE:
The behavior of the `SpyLocation` used by the `RouterTestingModule` has changed
to match the behavior of browsers. It no longer emits a 'popstate' event
when `Location.go` is called. In addition, `simulateHashChange` now
triggers _both_ a `hashchange` and a `popstate` event.
Tests which use `location.go` and expect the changes to be picked up by
the `Router` should likely change to `simulateHashChange` instead.
Each test is different in what it attempts to assert so there is no
single change that works for all tests. Each test using the `SpyLocation` to
simulate browser URL changes should be evaluated on a case-by-case basis.
fixes#27059
PR Close#41730
When providing the completion for `SafePropertyRead`, the ts server
will not apply the optional chaining. So no need to shift the start
location of `replacementSpan` back.
PR Close#43321