The $sceDelegateProvider provider allows developers to configure the $sceDelegate service, used as a delegate for Strict Contextual Escaping (SCE).
The $sceDelegateProvider allows one to get/set the trustedResourceUrlList and
bannedResourceUrlList used to ensure that the URLs used for sourcing AngularJS templates and
other script-running URLs are safe (all places that use the $sce.RESOURCE_URL context). See
$sceDelegateProvider.trustedResourceUrlList and
$sceDelegateProvider.bannedResourceUrlList,
For the general details about this service in AngularJS, read the main page for Strict Contextual Escaping (SCE).
Example: Consider the following case.
http://myapp.example.com/http://srv01.assets.example.com/, http://srv02.assets.example.com/, etc.http://myapp.example.com/clickThru?....Here is what a secure configuration for this scenario might look like:
angular.module('myApp', []).config(function($sceDelegateProvider) {
$sceDelegateProvider.trustedResourceUrlList([
// Allow same origin resource loads.
'self',
// Allow loading from our assets domain. Notice the difference between * and **.
'http://srv*.assets.example.com/**'
]);
// The banned resource URL list overrides the trusted resource URL list so the open redirect
// here is blocked.
$sceDelegateProvider.bannedResourceUrlList([
'http://myapp.example.com/clickThru**'
]);
});
Note that an empty trusted resource URL list will block every resource URL from being loaded, and will require
you to manually mark each one as trusted with $sce.trustAsResourceUrl. However, templates
requested by $templateRequest that are present in
$templateCache will not go through this check. If you have a mechanism
to populate your templates in that cache at config time, then it is a good idea to remove 'self'
from the trusted resource URL lsit. This helps to mitigate the security impact of certain types
of issues, like for instance attacker-controlled ng-includes.
trustedResourceUrlList([trustedResourceUrlList]);
Sets/Gets the list trusted of resource URLs.
The default value when no trustedResourceUrlList has been explicitly set is ['self']
allowing only same origin resource requests.
trustedResourceUrlList of 'self' is not recommended if your app shares
its origin with other apps! It is a good idea to limit it to only your application's directory.
| Param | Type | Details |
|---|---|---|
|
trustedResourceUrlList
(optional)
|
Array |
When provided, replaces the trustedResourceUrlList with the value provided. This must be an array or null. A snapshot of this array is used so further changes to the array are ignored. Follow this link for a description of the items allowed in this array. |
| Array | The currently set trusted resource URL array. |
resourceUrlWhitelist();
This method is deprecated. Use trustedResourceUrlList instead.
bannedResourceUrlList([bannedResourceUrlList]);
Sets/Gets the bannedResourceUrlList of trusted resource URLs.
The default value when no trusted resource URL list has been explicitly set is the empty
array (i.e. there is no bannedResourceUrlList.)
| Param | Type | Details |
|---|---|---|
|
bannedResourceUrlList
(optional)
|
Array |
When provided, replaces the Follow this link for a description of the items allowed in this array.
The typical usage for the Finally, the banned resource URL list overrides the trusted resource URL list and has the final say. |
| Array | The currently set |
resourceUrlBlacklist();
This method is deprecated. Use bannedResourceUrlList instead.