Improve this Doc View Source $sceDelegateProvider

  1. $sceDelegate
  2. provider in module ng

Overview

The $sceDelegateProvider provider allows developers to configure the $sceDelegate service, used as a delegate for Strict Contextual Escaping (SCE).

The $sceDelegateProvider allows one to get/set the trustedResourceUrlList and bannedResourceUrlList used to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe (all places that use the $sce.RESOURCE_URL context). See $sceDelegateProvider.trustedResourceUrlList and $sceDelegateProvider.bannedResourceUrlList,

For the general details about this service in AngularJS, read the main page for Strict Contextual Escaping (SCE).

Example: Consider the following case.

  • your app is hosted at url http://myapp.example.com/
  • but some of your templates are hosted on other domains you control such as http://srv01.assets.example.com/, http://srv02.assets.example.com/, etc.
  • and you have an open redirect at http://myapp.example.com/clickThru?....

Here is what a secure configuration for this scenario might look like:

angular.module('myApp', []).config(function($sceDelegateProvider) {
  $sceDelegateProvider.trustedResourceUrlList([
    // Allow same origin resource loads.
    'self',
    // Allow loading from our assets domain.  Notice the difference between * and **.
    'http://srv*.assets.example.com/**'
  ]);

  // The banned resource URL list overrides the trusted resource URL list so the open redirect
  // here is blocked.
  $sceDelegateProvider.bannedResourceUrlList([
    'http://myapp.example.com/clickThru**'
  ]);
});

Note that an empty trusted resource URL list will block every resource URL from being loaded, and will require you to manually mark each one as trusted with $sce.trustAsResourceUrl. However, templates requested by $templateRequest that are present in $templateCache will not go through this check. If you have a mechanism to populate your templates in that cache at config time, then it is a good idea to remove 'self' from the trusted resource URL lsit. This helps to mitigate the security impact of certain types of issues, like for instance attacker-controlled ng-includes.

Methods

  • trustedResourceUrlList([trustedResourceUrlList]);

    Sets/Gets the list trusted of resource URLs.

    The default value when no trustedResourceUrlList has been explicitly set is ['self'] allowing only same origin resource requests.

    Note: the default trustedResourceUrlList of 'self' is not recommended if your app shares its origin with other apps! It is a good idea to limit it to only your application's directory.

    Parameters

    Param Type Details
    trustedResourceUrlList
    (optional)
    Array

    When provided, replaces the trustedResourceUrlList with the value provided. This must be an array or null. A snapshot of this array is used so further changes to the array are ignored. Follow this link for a description of the items allowed in this array.

    Returns

    Array

    The currently set trusted resource URL array.

  • resourceUrlWhitelist();

    Deprecated: (since 1.8.1)

    This method is deprecated. Use trustedResourceUrlList instead.

  • bannedResourceUrlList([bannedResourceUrlList]);

    Sets/Gets the bannedResourceUrlList of trusted resource URLs.

    The default value when no trusted resource URL list has been explicitly set is the empty array (i.e. there is no bannedResourceUrlList.)

    Parameters

    Param Type Details
    bannedResourceUrlList
    (optional)
    Array

    When provided, replaces the bannedResourceUrlList with the value provided. This must be an array or null. A snapshot of this array is used so further changes to the array are ignored.

    Follow this link for a description of the items allowed in this array.

    The typical usage for the bannedResourceUrlList is to block open redirects served by your domain as these would otherwise be trusted but actually return content from the redirected domain.

    Finally, the banned resource URL list overrides the trusted resource URL list and has the final say.

    Returns

    Array

    The currently set bannedResourceUrlList array.

  • resourceUrlBlacklist();

    Deprecated: (since 1.8.1)

    This method is deprecated. Use bannedResourceUrlList instead.

© 2010–2020 Google, Inc.
Licensed under the Creative Commons Attribution License 3.0.
https://code.angularjs.org/1.8.2/docs/api/ng/provider/$sceDelegateProvider