fix(icon): remove trustAs calls in favor of implicit trust conditions (#9250)

Author: jelbourn

src/components/icon/icon.spec.js

@@ -205,12 +205,6 @@ describe('MdIcon directive', function() {
       module(function($provide) {
         var $mdIconMock = function(id) {
 
-          wasLastSvgSrcTrusted = false;
-          if (!angular.isString(id)) {
-            id = $sce.getTrustedUrl(id);
-            wasLastSvgSrcTrusted = true;
-          }
-
           return {
             then: function(fn) {
               switch(id) {
@@ -222,8 +216,6 @@ describe('MdIcon directive', function() {
                   break;
                 case 'cake.svg'         : fn('<svg><g id="cake"></g></svg>');
                   break;
-                case 'galactica.svg'         : fn('<svg><g id="galactica"></g></svg>');
-                  break;
                 case 'image:android'    : fn('');
                   break;
                 default                 :
@@ -272,17 +264,10 @@ describe('MdIcon directive', function() {
         $sce = _$sce_;
       }));
 
-      it('should mark as trusted static URLs', function() {
-        el = make('<md-icon md-svg-src="galactica.svg"></md-icon>');
-        expect(wasLastSvgSrcTrusted).toBe(true);
-        expect(el[0].innerHTML).toContain('galactica')
-      });
-
       it('should update mdSvgSrc when attribute value changes', function() {
         $scope.url = 'android.svg';
         el = make('<md-icon md-svg-src="{{ url }}"></md-icon>');
         expect(el.attr('md-svg-src')).toEqual('android.svg');
-        expect(wasLastSvgSrcTrusted).toBe(false);
         $scope.url = 'cake.svg';
         $scope.$digest();
         expect(el.attr('md-svg-src')).toEqual('cake.svg');
@@ -397,9 +382,8 @@ describe('MdIcon service', function() {
     $mdIconProvider
       .icon('android'           , 'android.svg')
       .icon('c2'                , 'c2.svg')
-      .icon('notInTemplateCache', 'http://example.com/not-in-template-cache.svg')
-      .iconSet('social'         , 'social.svg')
-      .iconSet('emptyIconSet'   , 'emptyGroup.svg')
+      .iconSet('social'         , 'social.svg' )
+      .iconSet('emptyIconSet'   , 'emptyGroup.svg' )
       .defaultIconSet('core.svg');
 
     $mdIconProvider.icon('missingIcon', 'notfoundicon.svg');
@@ -478,22 +462,6 @@ describe('MdIcon service', function() {
 
         $scope.$digest();
       });
-
-      it('should treat urls given to the provider as trusted', function() {
-        $httpBackend.whenGET('http://example.com/not-in-template-cache.svg').respond('');
-
-        // For this first icon, we simply expect that this does *not* throw an error,
-        // since registering it with the provider should mark the URL as explicity trusted.
-        $mdIcon('notInTemplateCache');
-        $scope.$apply();
-
-        // For this second icon, we expect it to throw an untrusted error because it was not
-        // registered to the provider.
-        expect(function() {
-          $mdIcon('http://example.com/not-configured-in-provider.svg');
-          $scope.$apply();
-        }).toThrowError(/\[\$sce:insecurl\]/);
-      });
     });
 
     describe('$mdIcon() is passed a URL', function() {

src/components/icon/js/iconDirective.js

@@ -221,13 +221,6 @@ function mdIconDirective($mdIcon, $mdTheming, $mdAria, $sce) {
     if (attrName) {
       // Use either pre-configured SVG or URL source, respectively.
       attr.$observe(attrName, function(attrVal) {
-
-        // If using svg-src and the value is static (i.e., is exactly equal to the compile-time
-        // `md-svg-src` value), then it is implicitly trusted.
-        if (!isInlineSvg(attrVal) && attrVal === originalSvgSrc) {
-          attrVal = $sce.trustAsResourceUrl(attrVal);
-        }
-
         element.empty();
         if (attrVal) {
           $mdIcon(attrVal)
@@ -281,14 +274,4 @@ function mdIconDirective($mdIcon, $mdTheming, $mdAria, $sce) {
       }
     }
   }
-
-  /**
-   * Gets whether the given svg src is an inline ("data:" style) SVG.
-   * @param {string} svgSrc The svg src.
-   * @returns {boolean} Whether the src is an inline SVG.
-   */
-  function isInlineSvg(svgSrc) {
-    var dataUrlRegex = /^data:image\/svg\+xml[\s*;\w\-\=]*?(base64)?,(.*)$/i;
-    return dataUrlRegex.test(svgSrc);
-  }
 }

src/components/icon/js/iconService.js

@@ -276,19 +276,13 @@
  *
  */
 
-
-/**
- * The configuration for $mdIconProvider. This contains both options for the icon service
- * and acts as a map of iconName -> ConfigurationItem (configuration for a single icon).
- */
-var config;
+var config = {
+  defaultViewBoxSize: 24,
+  defaultFontSet: 'material-icons',
+  fontSets: []
+};
 
 function MdIconProvider() {
-  config = {
-    defaultViewBoxSize: 24,
-    defaultFontSet: 'material-icons',
-    fontSets: []
-  };
 }
 
 MdIconProvider.prototype = {
@@ -410,16 +404,6 @@ function MdIconService(config, $templateRequest, $q, $log, $mdUtil, $sce) {
   var svgCache = {};
   var urlRegex = /[-\w@:%\+.~#?&//=]{2,}\.[a-z]{2,4}\b(\/[-\w@:%\+.~#?&//=]*)?/i;
   var dataUrlRegex = /^data:image\/svg\+xml[\s*;\w\-\=]*?(base64)?,(.*)$/i;
-  var configUrls = new Set();
-
-  // Implicity trust all the icon URLs given to MdIconProvider because they are set during
-  // Angular's "config" phase, during which the application is not yet in a state where
-  // user-provided values are generally available.
-  angular.forEach(config, function(configItem) {
-    if (angular.isString(configItem.url)) {
-      configUrls.add(configItem.url);
-    }
-  });
 
   Icon.prototype = {clone: cloneSVG, prepare: prepareAndStyle};
   getIcon.fontSet = findRegisteredFontSet;
@@ -570,10 +554,6 @@ function MdIconService(config, $templateRequest, $q, $log, $mdUtil, $sce) {
             resolve(svgCache[url]);
           };
 
-        if (configUrls.has(url)) {
-          url = $sce.trustAsResourceUrl(url);
-        }
-
         $templateRequest(url, true).then(extractSvg, announceAndReject);
       });
     }