The $sceDelegateProvider provider allows developers to configure the ng.$sceDelegate $sceDelegate service, used as a delegate for ng.$sce Strict Contextual Escaping (SCE).

The $sceDelegateProvider allows one to get/set the trustedResourceUrlList and bannedResourceUrlList used to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe (all places that use the $sce.RESOURCE_URL context). See ng.$sceDelegateProvider#trustedResourceUrlList $sceDelegateProvider.trustedResourceUrlList and ng.$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList,

For the general details about this service in AngularJS, read the main page for ng.$sce Strict Contextual Escaping (SCE).

Example: Consider the following case.

  • your app is hosted at url http://myapp.example.com/
  • but some of your templates are hosted on other domains you control such as http://srv01.assets.example.com/, http://srv02.assets.example.com/, etc.
  • and you have an open redirect at http://myapp.example.com/clickThru?....

Here is what a secure configuration for this scenario might look like:

 angular.module('myApp', []).config(function($sceDelegateProvider) {
$sceDelegateProvider.trustedResourceUrlList([
// Allow same origin resource loads.
'self',
// Allow loading from our assets domain. Notice the difference between * and **.
'http://srv*.assets.example.com/**'
]);

// The banned resource URL list overrides the trusted resource URL list so the open redirect
// here is blocked.
$sceDelegateProvider.bannedResourceUrlList([
'http://myapp.example.com/clickThru**'
]);
});

Note that an empty trusted resource URL list will block every resource URL from being loaded, and will require you to manually mark each one as trusted with $sce.trustAsResourceUrl. However, templates requested by ng.$templateRequest $templateRequest that are present in ng.$templateCache $templateCache will not go through this check. If you have a mechanism to populate your templates in that cache at config time, then it is a good idea to remove 'self' from the trusted resource URL lsit. This helps to mitigate the security impact of certain types of issues, like for instance attacker-controlled ng-includes.

Constructors

  • The $sceDelegateProvider provider allows developers to configure the ng.$sceDelegate $sceDelegate service, used as a delegate for ng.$sce Strict Contextual Escaping (SCE).

    The $sceDelegateProvider allows one to get/set the trustedResourceUrlList and bannedResourceUrlList used to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe (all places that use the $sce.RESOURCE_URL context). See ng.$sceDelegateProvider#trustedResourceUrlList $sceDelegateProvider.trustedResourceUrlList and ng.$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList,

    For the general details about this service in AngularJS, read the main page for ng.$sce Strict Contextual Escaping (SCE).

    Example: Consider the following case.

    • your app is hosted at url http://myapp.example.com/
    • but some of your templates are hosted on other domains you control such as http://srv01.assets.example.com/, http://srv02.assets.example.com/, etc.
    • and you have an open redirect at http://myapp.example.com/clickThru?....

    Here is what a secure configuration for this scenario might look like:

     angular.module('myApp', []).config(function($sceDelegateProvider) {
    $sceDelegateProvider.trustedResourceUrlList([
    // Allow same origin resource loads.
    'self',
    // Allow loading from our assets domain. Notice the difference between * and **.
    'http://srv*.assets.example.com/**'
    ]);

    // The banned resource URL list overrides the trusted resource URL list so the open redirect
    // here is blocked.
    $sceDelegateProvider.bannedResourceUrlList([
    'http://myapp.example.com/clickThru**'
    ]);
    });

    Note that an empty trusted resource URL list will block every resource URL from being loaded, and will require you to manually mark each one as trusted with $sce.trustAsResourceUrl. However, templates requested by ng.$templateRequest $templateRequest that are present in ng.$templateCache $templateCache will not go through this check. If you have a mechanism to populate your templates in that cache at config time, then it is a good idea to remove 'self' from the trusted resource URL lsit. This helps to mitigate the security impact of certain types of issues, like for instance attacker-controlled ng-includes.

    Returns $SceDelegateProvider

Properties

$get: (string | (($injector: InjectorService, $$sanitizeUri: any) => {
    getTrusted: ((type: string, maybeTrusted: any) => any);
    trustAs: ((type: string, trustedValue: any) => any);
    valueOf: ((maybeTrusted: any) => any);
}))[]
SCE_CONTEXTS: {
    CSS: string;
    HTML: string;
    JS: string;
    MEDIA_URL: string;
    RESOURCE_URL: string;
    URL: string;
}
bannedResourceUrlList: ((value: any, ...args: any) => any[])

Type declaration

    • (value, ...args): any[]
    • Parameters

      • value: any
      • Rest...args: any

      Returns any[]

      The currently set bannedResourceUrlList array.

Sets/Gets the bannedResourceUrlList of trusted resource URLs.

The default value when no trusted resource URL list has been explicitly set is the empty array (i.e. there is no bannedResourceUrlList.)

trustedResourceUrlList: ((value: any, ...args: any) => any[])

Type declaration

    • (value, ...args): any[]
    • Parameters

      • value: any
      • Rest...args: any

      Returns any[]

      The currently set trusted resource URL array.

Sets/Gets the list trusted of resource URLs.

The default value when no trustedResourceUrlList has been explicitly set is ['self'] allowing only same origin resource requests.

**Note:** the default `trustedResourceUrlList` of 'self' is not recommended if your app shares its origin with other apps! It is a good idea to limit it to only your application's directory.