No test was added for this case because I can't think of a test case to
write that would work.
This change updates the code for a consistent mental model of setting
the `browserUrlTree`. It's only meant to track the `UrlTree` that the
`UrlHandlingStrategy` is set to extract, not the full `rawUrl`. Notice
that everywhere else, the `browserUrlTree` is set to
`urlAfterRedirects`, which is computed based on the extracted URL, _not_
the `rawUrl`.
PR Close#43426
PR #43102 broke some use-cases. These tests document expected behavior
and would have prevented #43446 and #43447. Recent changes have already
addressed these issues, but it would still be a good idea to cover these
use-cases in tests as well.
PR Close#43449
The previous code would set the browser URL to be only the part that's
extracted by the `UrlHandlingStrategy`. However, there may be parts of
the URL which are _should not_ be handled by the Angular Router. This
change updates the code to set the browser URL in the same way that's
done with `'deferred'`: Merging the extracted URL after redirects with
the whole raw URL of the navigation, which includes parts not handled by
the `UrlHandlingStrategy`.
PR Close#43421
The HTML for the docs pages is generated by Dgeni based on some
[Nunjucks][1] templates.
Previously, these templates were set up in a way that introduced a lot
excess whitespace in the generated HTML, unnecessarily bloating the
corresponding JSON files that need to be downloaded in order to view a
certain docs page. This has been discussed in #28105 and was again
observed while investigating #43285.
This commit refactors some of the templates related to API docs (which
seem to be the most affected ones) to drastically reduce the amount of
excess whitespace. More specifically, the total size of all files in
`generated/docs/api/` was reduced from ~13MB to ~7MB.
Besides the reduced payload size for each API page, this change will
also reduce the amount of memory needed by the ServiceWorker to cache
the API pages that have been visited by a user.
NOTE:
The affected files are not eagerly downloaded when navigating to
angular.io. Instead, each file is downloaded individually, as soon as a
user visits the corresponding API docs page. Therefore, the impact of
this change will be relatively small for most users.
[1]: https://mozilla.github.io/nunjucks/
PR Close#43435
NOTE:
This [version][1] includes a breaking fix ([commit af59f343d][2]). More
specifically `github-slugger` will no longer trim the text of a heading
before generating an ID and (with whitespace converted to `-`) this
results in different heading IDs:
**Before:** `<h3> foo bar </h3>` --> `<h3 id="foo-bar">...`
**After:** `<h3> foo bar </h3>` --> `<h3 id="--foo-bar--">...`
The different IDs now break some of our anchor-links, becuase
`github-slugger` is used by [rehype-slug][3], which is in turn used by
our [autolinkHeadings][4] dgeni post-processor.
To avoid the issue with broken anchor links, we update the
`renderMethodDetail()` nunjucks macro to omit excess whitespace in
headings.
[1]: https://github.com/Flet/github-slugger/releases/tag/v1.4.0
[2]: af59f343dc
[3]: https://github.com/rehypejs/rehype-slug
[4]: 75a3c778b1/aio/tools/transforms/angular-base-package/post-processors/autolink-headings.js (L3)
PR Close#43435
There are situations where the Router does not currently clean up failed navigations
correctly. While this is problematic on its own, we can mitigate some of
the damage by processing any URL when we get a navigation request when
the internal router state is out of sync.
Each of the added tests would fail without this change.
fixes#34795
PR Close#43424
This is to replace the implicitly created ts_library_forwared rules and
keep changes related to tsec/bazel integration solely in tools/tsec.bzl.
PR Close#43108
Introduce two new bazel rules: tsec_test and tsec_config, for
describing the tsec checks and the tsconfig file needed for such
checks, respectively. Currently, tsec_test only checks the srcs
of a ts_library or ng_module. It does not check direct or transitive
dependencies. Also, tsconfig files need to be manually maintained
to make sure tsec can read all necessary input (including global
symbols).
PR Close#43108
tsec is a static analyzer that discovers Trusted Types violations.
Deploy tsec to make sure there will be no TT regression in several
critical packages, including core, platform-browser, platform-server
and their dependencies. Existing violations have been reviewed and
exempted in packages/tsec-exemption.json. Future changes to the
exemption list requires security review.
PR Close#43108
* Document `currentUrlTree`, `browserUrlTree`, and `rawUrlTree`
* Add a couple `TODO` comments to investigate changes based on understanding
PR Close#43391
tsec is a TypeScript compiler wrapper for restricting use of
security-sensitive DOM APIs, in particular those that could lead to XSS
or Trusted Types violations. Add it as a linter to aio to prevent future
Trusted Types regressions on angular.io.
Also introduces security_exemptions.json, which lists the known,
security-reviewed tsec security violations. New entries can only be
added to this file after a security review, in particular making sure
that the corresponding code does not cause XSS vulnerabilities or
Trusted Types violations.
PR Close#42800
Configure Firebase to serve a CSP header on angular.io that enables
Trusted Types in report-only mode. This causes any Trusted Types
violations that may occur as users browser angular.io to generate a CSP
report that is sent to csp.withgoogle.com, where it is processed by
Google's CSP report collector.
This is a non-breaking change that allows us to evaluate whether
angular.io is fully compatible with Trusted Types, at which point we can
start enforcing Trusted Types.
PR Close#42800
Configure angular.json to serve a CSP header that enabled Trusted Types
in enforcement mode, both in e2e tests and when running the local
development server. This should help prevent regressions related to
Trusted Types in the angular.io app.
PR Close#42800
Fix a Trusted Types violation in ServiceWorkerModule that occurs when
initializing the service worker from a string URL, by passing a
TrustedScriptURL instead.
PR Close#42800
Change SvgIconInfo.svgSource to be a TrustedHTML and update all its
users accordingly. Also introduce the svg template tag function for
building TrustedHTML from constant SVG sources.
PR Close#42800
Change the PrettyPrinter interface to accept a TrustedHTML and patch
prettify.js so that it makes use of that value without modification.
Update all users of the service to produce, and pass in a TrustedHTML.
PR Close#42800
Also introduce a dependency on the Trusted Types type definitions and a
Trusted Types polyfill, safevalues. Create a security module for common,
security-reviewed transformations into Trusted Types.
PR Close#42800
The Google Analytics snippet loads its runtime by dynamically creating a
script element and assigning a URL to its src attribute. This causes a
Trusted Types violation.
To fix this, create an inline Trusted Types policy called 'aio#analytics'
to bless the script URL, which is a trusted constant.
PR Close#42800
This restores the `finalize` function to directly call
`resetUrlToCurrentUrlTree`, as it was before efb440eb2f.
This allows us to simplify the `restoreHistory` function because it no
longer needs to handle the call from `finalize` where it should not
reset the internal router state.
PR Close#43382
The file we are redirecting `/guide/bazel` to was moved from
`bazel/src/schematics/README.md` to `bazel/docs/BAZEL_SCHEMATICS.md` in
commit 71b8c9ab29.
Update the Firebase configuration to use the new path in the redirect
URL.
PR Close#43376
Support for IE11 has been dropped in v13. IE11 was the last browser officially support by Angular that required ES5 code. As a result of its removal, differential loading is no longer required and the Angular CLI has removed all differential loading functional for v13. This commit removes all references to differential loading from the documentation.
PR Close#43060
Support for IE 11 was deprecated in v12 and in v13 the support is fully dropped. This commit updates the browser compatibility docs and removes IE 11 as a supported browser.
PR Close#43034
With the merging of #41730, our tests now more closely emulate real
browser behavior. This means that we can make changes to the `Router` which depend
on actual browser behavior rather than incorrectly mocked test behavior.
This change updates the logic in the `Router` to only trigger
navigations on `popstate` events. Since our `SpyLocation` now triggers
the `popstate` event correctly on `simulateHashChange`, `back`,
`forward`, and `simulatePopState`, we are able to rely on this being
true for all of these navigations in tests when using `SpyLocation` (the
default for `RouterTestingModule`).
In addition, this behavior relies on documented browser behavior: The
`popstate` event happens due to browser transitions as a result of user
triggered "back" button or otherwise.
https://developer.mozilla.org/en-US/docs/Web/API/Window/popstate_event#when_popstate_is_sent
In addition, this change chooses `popstate` over `hashchange` because it
is the event that is already being used for navigations since the
documented behavior of browsers is that `popstate` happens before
`hashchange`.
fixes#41782
PR Close#43328
