The $sceDelegateProvider
provider allows developers to configure the ng.$sceDelegate $sceDelegate service, used as a delegate for ng.$sce Strict Contextual Escaping (SCE).
The $sceDelegateProvider
allows one to get/set the trustedResourceUrlList
and
bannedResourceUrlList
used to ensure that the URLs used for sourcing AngularJS templates and
other script-running URLs are safe (all places that use the $sce.RESOURCE_URL
context). See
ng.$sceDelegateProvider#trustedResourceUrlList $sceDelegateProvider.trustedResourceUrlList and
ng.$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList,
For the general details about this service in AngularJS, read the main page for ng.$sce Strict Contextual Escaping (SCE).
Example: Consider the following case.
http://myapp.example.com/
http://srv01.assets.example.com/
, http://srv02.assets.example.com/
, etc.http://myapp.example.com/clickThru?...
.Here is what a secure configuration for this scenario might look like:
angular.module('myApp', []).config(function($sceDelegateProvider) {
$sceDelegateProvider.trustedResourceUrlList([
// Allow same origin resource loads.
'self',
// Allow loading from our assets domain. Notice the difference between * and **.
'http://srv*.assets.example.com/**'
]);
// The banned resource URL list overrides the trusted resource URL list so the open redirect
// here is blocked.
$sceDelegateProvider.bannedResourceUrlList([
'http://myapp.example.com/clickThru**'
]);
});
Note that an empty trusted resource URL list will block every resource URL from being loaded, and will require
you to manually mark each one as trusted with $sce.trustAsResourceUrl
. However, templates
requested by ng.$templateRequest $templateRequest that are present in
ng.$templateCache $templateCache will not go through this check. If you have a mechanism
to populate your templates in that cache at config time, then it is a good idea to remove 'self'
from the trusted resource URL lsit. This helps to mitigate the security impact of certain types
of issues, like for instance attacker-controlled ng-includes
.
Rest
...args: anyThe currently set bannedResourceUrlList
array.
Rest
...args: anyThe currently set trusted resource URL array.
Sets/Gets the list trusted of resource URLs.
The default value when no trustedResourceUrlList
has been explicitly set is ['self']
allowing only same origin resource requests.
The
$sceDelegateProvider
provider allows developers to configure the ng.$sceDelegate $sceDelegate service, used as a delegate for ng.$sce Strict Contextual Escaping (SCE).The
$sceDelegateProvider
allows one to get/set thetrustedResourceUrlList
andbannedResourceUrlList
used to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe (all places that use the$sce.RESOURCE_URL
context). See ng.$sceDelegateProvider#trustedResourceUrlList $sceDelegateProvider.trustedResourceUrlList and ng.$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList,For the general details about this service in AngularJS, read the main page for ng.$sce Strict Contextual Escaping (SCE).
Example: Consider the following case.
http://myapp.example.com/
http://srv01.assets.example.com/
,http://srv02.assets.example.com/
, etc.http://myapp.example.com/clickThru?...
.Here is what a secure configuration for this scenario might look like:
Note that an empty trusted resource URL list will block every resource URL from being loaded, and will require you to manually mark each one as trusted with
$sce.trustAsResourceUrl
. However, templates requested by ng.$templateRequest $templateRequest that are present in ng.$templateCache $templateCache will not go through this check. If you have a mechanism to populate your templates in that cache at config time, then it is a good idea to remove 'self' from the trusted resource URL lsit. This helps to mitigate the security impact of certain types of issues, like for instance attacker-controlledng-includes
.