The $sceDelegateProvider
provider allows developers to configure the $sceDelegate service, used as a delegate for Strict Contextual Escaping (SCE).
The $sceDelegateProvider
allows one to get/set the trustedResourceUrlList
and bannedResourceUrlList
used to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe (all places that use the $sce.RESOURCE_URL
context). See $sceDelegateProvider.trustedResourceUrlList and $sceDelegateProvider.bannedResourceUrlList,
For the general details about this service in AngularJS, read the main page for Strict Contextual Escaping (SCE).
Example: Consider the following case.
http://myapp.example.com/
http://srv01.assets.example.com/
, http://srv02.assets.example.com/
, etc.http://myapp.example.com/clickThru?...
.Here is what a secure configuration for this scenario might look like:
angular.module('myApp', []).config(function($sceDelegateProvider) { $sceDelegateProvider.trustedResourceUrlList([ // Allow same origin resource loads. 'self', // Allow loading from our assets domain. Notice the difference between * and **. 'http://srv*.assets.example.com/**' ]); // The banned resource URL list overrides the trusted resource URL list so the open redirect // here is blocked. $sceDelegateProvider.bannedResourceUrlList([ 'http://myapp.example.com/clickThru**' ]); });
Note that an empty trusted resource URL list will block every resource URL from being loaded, and will require you to manually mark each one as trusted with $sce.trustAsResourceUrl
. However, templates requested by $templateRequest that are present in $templateCache will not go through this check. If you have a mechanism to populate your templates in that cache at config time, then it is a good idea to remove 'self' from the trusted resource URL lsit. This helps to mitigate the security impact of certain types of issues, like for instance attacker-controlled ng-includes
.
Sets/Gets the list trusted of resource URLs.
The default value when no trustedResourceUrlList
has been explicitly set is ['self']
allowing only same origin resource requests.
trustedResourceUrlList
of 'self' is not recommended if your app shares its origin with other apps! It is a good idea to limit it to only your application's directory. Param | Type | Details |
---|---|---|
trustedResourceUrlList (optional) | Array | When provided, replaces the trustedResourceUrlList with the value provided. This must be an array or null. A snapshot of this array is used so further changes to the array are ignored. Follow this link for a description of the items allowed in this array. |
Array |
The currently set trusted resource URL array. |
This method is deprecated. Use trustedResourceUrlList instead.
Sets/Gets the bannedResourceUrlList
of trusted resource URLs.
The default value when no trusted resource URL list has been explicitly set is the empty array (i.e. there is no bannedResourceUrlList
.)
Param | Type | Details |
---|---|---|
bannedResourceUrlList (optional) | Array | When provided, replaces the Follow this link for a description of the items allowed in this array. The typical usage for the Finally, the banned resource URL list overrides the trusted resource URL list and has the final say. |
Array |
The currently set |
This method is deprecated. Use bannedResourceUrlList instead.
© 2010–2020 Google, Inc.
Licensed under the Creative Commons Attribution License 3.0.
https://code.angularjs.org/1.8.2/docs/api/ng/provider/$sceDelegateProvider