Improve this Doc View Source $sceDelegateProvider

  1. $sceDelegate
  2. provider in module ng

Overview

The $sceDelegateProvider provider allows developers to configure the $sceDelegate service, used as a delegate for Strict Contextual Escaping (SCE).

The $sceDelegateProvider allows one to get/set the whitelists and blacklists used to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe (all places that use the $sce.RESOURCE_URL context). See $sceDelegateProvider.resourceUrlWhitelist and $sceDelegateProvider.resourceUrlBlacklist,

For the general details about this service in AngularJS, read the main page for Strict Contextual Escaping (SCE).

Example: Consider the following case.

  • your app is hosted at url http://myapp.example.com/
  • but some of your templates are hosted on other domains you control such as http://srv01.assets.example.com/, http://srv02.assets.example.com/, etc.
  • and you have an open redirect at http://myapp.example.com/clickThru?....

Here is what a secure configuration for this scenario might look like:

angular.module('myApp', []).config(function($sceDelegateProvider) {
  $sceDelegateProvider.resourceUrlWhitelist([
    // Allow same origin resource loads.
    'self',
    // Allow loading from our assets domain.  Notice the difference between * and **.
    'http://srv*.assets.example.com/**'
  ]);

  // The blacklist overrides the whitelist so the open redirect here is blocked.
  $sceDelegateProvider.resourceUrlBlacklist([
    'http://myapp.example.com/clickThru**'
  ]);
});

Note that an empty whitelist will block every resource URL from being loaded, and will require you to manually mark each one as trusted with $sce.trustAsResourceUrl. However, templates requested by $templateRequest that are present in $templateCache will not go through this check. If you have a mechanism to populate your templates in that cache at config time, then it is a good idea to remove 'self' from that whitelist. This helps to mitigate the security impact of certain types of issues, like for instance attacker-controlled ng-includes.

Methods

  • resourceUrlWhitelist([whitelist]);

    Sets/Gets the whitelist of trusted resource URLs.

    The default value when no whitelist has been explicitly set is ['self'] allowing only same origin resource requests.

    Note: the default whitelist of 'self' is not recommended if your app shares its origin with other apps! It is a good idea to limit it to only your application's directory.

    Parameters

    Param Type Details
    whitelist
    (optional)
    Array

    When provided, replaces the resourceUrlWhitelist with the value provided. This must be an array or null. A snapshot of this array is used so further changes to the array are ignored. Follow this link for a description of the items allowed in this array.

    Returns

    Array

    The currently set whitelist array.

  • resourceUrlBlacklist([blacklist]);

    Sets/Gets the blacklist of trusted resource URLs.

    The default value when no whitelist has been explicitly set is the empty array (i.e. there is no blacklist.)

    Parameters

    Param Type Details
    blacklist
    (optional)
    Array

    When provided, replaces the resourceUrlBlacklist with the value provided. This must be an array or null. A snapshot of this array is used so further changes to the array are ignored.

    Follow this link for a description of the items allowed in this array.

    The typical usage for the blacklist is to block open redirects served by your domain as these would otherwise be trusted but actually return content from the redirected domain.

    Finally, the blacklist overrides the whitelist and has the final say.

    Returns

    Array

    The currently set blacklist array.

© 2010–2018 Google, Inc.
Licensed under the Creative Commons Attribution License 4.0.
https://code.angularjs.org/1.7.8/docs/api/ng/provider/$sceDelegateProvider