forked from angular/code.angularjs.org
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathng.$sceDelegateProvider.html
65 lines (64 loc) · 5.69 KB
/
ng.$sceDelegateProvider.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
<a href="http://github.com/angular/angular.js/tree/v1.2.3/src/ng/sce.js#L92" class="view-source btn btn-action"><i class="icon-zoom-in"> </i> View source</a><a href="http://github.com/angular/angular.js/edit/master/src/ng/sce.js" class="improve-docs btn btn-primary"><i class="icon-edit"> </i> Improve this doc</a><h1><code ng:non-bindable="">$sceDelegateProvider</code>
<div><span class="hint">service in module <code ng:non-bindable="">ng</code>
</span>
</div>
</h1>
<div><h2 id="description">Description</h2>
<div class="description"><div class="ng-scedelegateprovider-page"><p>The <code>$sceDelegateProvider</code> provider allows developers to configure the <a href="api/ng.$sceDelegate"><code>$sceDelegate</code></a> service. This allows one to get/set the whitelists and blacklists used to ensure
that the URLs used for sourcing Angular templates are safe. Refer <a href="api/ng.$sceDelegateProvider#methods_resourceurlwhitelist"><code>$sceDelegateProvider.resourceUrlWhitelist</code></a> and
<a href="api/ng.$sceDelegateProvider#methods_resourceurlblacklist"><code>$sceDelegateProvider.resourceUrlBlacklist</code></a></p>
<p>For the general details about this service in Angular, read the main page for <a href="api/ng.$sce"><code>Strict Contextual Escaping (SCE)</code></a>.</p>
<p><strong>Example</strong>: Consider the following case. <a name="example"></a></p>
<ul>
<li>your app is hosted at url <code>http://myapp.example.com/</code></li>
<li>but some of your templates are hosted on other domains you control such as
<code>http://srv01.assets.example.com/</code>, <code>http://srv02.assets.example.com/</code>, etc.</li>
<li>and you have an open redirect at <code>http://myapp.example.com/clickThru?...</code>.</li>
</ul>
<p>Here is what a secure configuration for this scenario might look like:</p>
<pre class="prettyprint" class="prettyprint linenums">
angular.module('myApp', []).config(function($sceDelegateProvider) {
$sceDelegateProvider.resourceUrlWhitelist([
// Allow same origin resource loads.
'self',
// Allow loading from our assets domain. Notice the difference between * and **.
'http://srv*.assets.example.com/**']);
// The blacklist overrides the whitelist so the open redirect here is blocked.
$sceDelegateProvider.resourceUrlBlacklist([
'http://myapp.example.com/clickThru**']);
});
</pre>
</div></div>
<div class="member method"><h2 id="methods">Methods</h2>
<ul class="methods"><li><h3 id="methods_resourceurlblacklist">resourceUrlBlacklist(blacklist)</h3>
<div class="resourceurlblacklist"><div class="ng-scedelegateprovider-resourceurlblacklist-page"><p>Sets/Gets the blacklist of trusted resource URLs.</p>
</div><h5 id="methods_resourceurlblacklist_parameters">Parameters</h5><table class="variables-matrix table table-bordered table-striped"><thead><tr><th>Param</th><th>Type</th><th>Details</th></tr></thead><tbody><tr><td>blacklist <div><em>(optional)</em></div></td><td><a href="" class="label type-hint type-hint-array">Array</a></td><td><div class="ng-scedelegateprovider-resourceurlblacklist-page"><p>When provided, replaces the resourceUrlBlacklist with the value
provided. This must be an array or null. A snapshot of this array is used so further
changes to the array are ignored.</p>
<p>Follow <a href="api/ng.$sce#resourceurlpatternitem"><code>this link</code></a> for a description of the items
allowed in this array.</p>
<p>The typical usage for the blacklist is to <strong>block
<a href="http://cwe.mitre.org/data/definitions/601.html">open redirects</a></strong> served by your domain as
these would otherwise be trusted but actually return content from the redirected domain.</p>
<p>Finally, <strong>the blacklist overrides the whitelist</strong> and has the final say.</p>
</div></td></tr></tbody></table><h5 id="methods_resourceurlblacklist_returns">Returns</h5><table class="variables-matrix"><tr><td><a href="" class="label type-hint type-hint-array">Array</a></td><td><div class="ng-scedelegateprovider-resourceurlblacklist-page"><p>the currently set blacklist array.</p>
<p>The <strong>default value</strong> when no whitelist has been explicitly set is the empty array (i.e. there
is no blacklist.)</p>
</div></td></tr></table></div>
</li>
<li><h3 id="methods_resourceurlwhitelist">resourceUrlWhitelist(whitelist)</h3>
<div class="resourceurlwhitelist"><div class="ng-scedelegateprovider-resourceurlwhitelist-page"><p>Sets/Gets the whitelist of trusted resource URLs.</p>
</div><h5 id="methods_resourceurlwhitelist_parameters">Parameters</h5><table class="variables-matrix table table-bordered table-striped"><thead><tr><th>Param</th><th>Type</th><th>Details</th></tr></thead><tbody><tr><td>whitelist <div><em>(optional)</em></div></td><td><a href="" class="label type-hint type-hint-array">Array</a></td><td><div class="ng-scedelegateprovider-resourceurlwhitelist-page"><p>When provided, replaces the resourceUrlWhitelist with the value
provided. This must be an array or null. A snapshot of this array is used so further
changes to the array are ignored.</p>
<p>Follow <a href="api/ng.$sce#resourceurlpatternitem"><code>this link</code></a> for a description of the items
allowed in this array.</p>
<p>Note: <strong>an empty whitelist array will block all URLs</strong>!</p>
</div></td></tr></tbody></table><h5 id="methods_resourceurlwhitelist_returns">Returns</h5><table class="variables-matrix"><tr><td><a href="" class="label type-hint type-hint-array">Array</a></td><td><div class="ng-scedelegateprovider-resourceurlwhitelist-page"><p>the currently set whitelist array.</p>
<p>The <strong>default value</strong> when no whitelist has been explicitly set is <code>['self']</code> allowing only
same origin resource requests.</p>
</div></td></tr></table></div>
</li>
</ul>
</div>
</div>