The $sceDelegateProvider provider allows developers to configure the $sceDelegate service, used as a delegate for Strict Contextual Escaping (SCE).
The $sceDelegateProvider allows one to get/set the trustedResourceUrlList and bannedResourceUrlList used to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe (all places that use the $sce.RESOURCE_URL context). See $sceDelegateProvider.trustedResourceUrlList and $sceDelegateProvider.bannedResourceUrlList,
For the general details about this service in AngularJS, read the main page for Strict Contextual Escaping (SCE).
Example: Consider the following case.
http://myapp.example.com/
http://srv01.assets.example.com/, http://srv02.assets.example.com/, etc.http://myapp.example.com/clickThru?....Here is what a secure configuration for this scenario might look like:
angular.module('myApp', []).config(function($sceDelegateProvider) {
$sceDelegateProvider.trustedResourceUrlList([
// Allow same origin resource loads.
'self',
// Allow loading from our assets domain. Notice the difference between * and **.
'http://srv*.assets.example.com/**'
]);
// The banned resource URL list overrides the trusted resource URL list so the open redirect
// here is blocked.
$sceDelegateProvider.bannedResourceUrlList([
'http://myapp.example.com/clickThru**'
]);
});
Note that an empty trusted resource URL list will block every resource URL from being loaded, and will require you to manually mark each one as trusted with $sce.trustAsResourceUrl. However, templates requested by $templateRequest that are present in $templateCache will not go through this check. If you have a mechanism to populate your templates in that cache at config time, then it is a good idea to remove 'self' from the trusted resource URL lsit. This helps to mitigate the security impact of certain types of issues, like for instance attacker-controlled ng-includes.
Sets/Gets the list trusted of resource URLs.
The default value when no trustedResourceUrlList has been explicitly set is ['self'] allowing only same origin resource requests.
trustedResourceUrlList of 'self' is not recommended if your app shares its origin with other apps! It is a good idea to limit it to only your application's directory. | Param | Type | Details |
|---|---|---|
| trustedResourceUrlList (optional) | Array | When provided, replaces the trustedResourceUrlList with the value provided. This must be an array or null. A snapshot of this array is used so further changes to the array are ignored. Follow this link for a description of the items allowed in this array. |
Array |
The currently set trusted resource URL array. |
This method is deprecated. Use trustedResourceUrlList instead.
Sets/Gets the bannedResourceUrlList of trusted resource URLs.
The default value when no trusted resource URL list has been explicitly set is the empty array (i.e. there is no bannedResourceUrlList.)
| Param | Type | Details |
|---|---|---|
| bannedResourceUrlList (optional) | Array | When provided, replaces the Follow this link for a description of the items allowed in this array. The typical usage for the Finally, the banned resource URL list overrides the trusted resource URL list and has the final say. |
Array |
The currently set |
This method is deprecated. Use bannedResourceUrlList instead.
© 2010–2020 Google, Inc.
Licensed under the Creative Commons Attribution License 3.0.
https://code.angularjs.org/1.8.2/docs/api/ng/provider/$sceDelegateProvider