This might be a false positive for the mechanism that disallows bootstrap if "angular.js was loaded from a known scheme used on the web". It's possible that there is no provision for a script tag without a src attribute.
Can you maybe debug were exactly this function here: https://github.com/angular/angular.js/blob/1cf93fd2b0ccf6f0adb30ca61c475632ac920ac4/src/Angular.js#L1448 returns false, and why in your application?

cc @mprobst

@jeffhuys could you change the code to print out document.location.origin and link.origin (and possibly without the .origin as well)?

https://github.com/angular/angular.js/blob/master/src/Angular.js#L1485

This is probably some incompatibility on our side, but it's unclear to me what values we should expect there in Safari & PhantomJS.

Obviously, document.currentScript.getAttribute('src') returns null when there is no src attribute. The difference comes from how different browsers treat link.href = null.

Chrome (and presumably the other working browsers) treats it as link.href = 'null', which sets the link.protocol and link.origin correctly.

PhantomJS (and presumably Safari 9.x) seems to ignore it. As a result, link.href === link.origin === '' and link.protocol === ':'.

#

An easy fix would be changing this line like this (which seems to work on PhantomJS):

-var src = document.currentScript.getAttribute('src');
+var src = document.currentScript.getAttribute('src') || '';

The following might also work, but I haven't tried it on all browsers:

-var src = document.currentScript.getAttribute('src');
+var src = document.currentScript.src;

@mprobst, if this sgty, I can put together a PR (unless @jeffhuys wants to :wink:).

@gkalpak sounds reasonable. We should treat no src= attribute as the <script> coming from the same origin as the document. Which means we could also check and early exit, something like if (!src) return true;.

@jeffhuys, can you confirm that the fix in #15571 works for your app?

Guys, so sorry I haven't responded yet! We're currently checking if this fix works. Will report back! Thanks so much and sorry again.

Today we found the same problem on IE11 in our production site. We upgraded angularjs from 1.5.9 to 1.5.11 but this didn't fix the problem. We solved disabling automatic bootstrap as stated here.

@McGiogen please report an issue describing how you load AngularJS, preferably with a test case (and link to it from here), if we have any bugs in the algorithm deciding whether to allow autobootstrap, we'd like to fix them.

The problem is with https://github.com/angular/angular.js/blob/1cf93fd2b0ccf6f0adb30ca61c475632ac920ac4/src/Angular.js#L1455

IE 11 does not add the origin header in some cases: http://stackoverflow.com/questions/20784209/internet-explorer-11-does-not-add-the-origin-header-on-a-cors-request

@Wolfke85, IE11 should not have document.currentScript in the first place, so the line you mention should never be reached.

@gkalpak We do reach that line, since after some investigation we use PDFJS (https://github.com/mozilla/pdf.js) which has a compatibility.js where they do the following:

// Provides document.currentScript support
// Support: IE, Chrome<29.
(function checkCurrentScript() {
  if ('currentScript' in document) {
    return;
  }
  Object.defineProperty(document, 'currentScript', {
    get: function () {
      var scripts = document.getElementsByTagName('script');
      return scripts[scripts.length - 1];
    },
    enumerable: true,
    configurable: true
  });
})();

@Wolfke85, this dicussed in #15772.