The $sceDelegateProvider provider allows developers
to configure the ng.$sceDelegate $sceDelegate service, used as a
delegate for ng.$sce Strict Contextual Escaping (SCE).
The $sceDelegateProvider allows one to get/set the
trustedResourceUrlList and
bannedResourceUrlList used to ensure that the URLs
used for sourcing AngularTS templates and other script-running
URLs are safe (all places that use the
$sce.RESOURCE_URL context). See
ng.$sceDelegateProvider#trustedResourceUrlList
$sceDelegateProvider.trustedResourceUrlList and
ng.$sceDelegateProvider#bannedResourceUrlList
$sceDelegateProvider.bannedResourceUrlList,
For the general details about this service in AngularTS, read the
main page for ng.$sce Strict Contextual Escaping (SCE).
Example: Consider the following case.
your app is hosted at url http://myapp.example.com/
but some of your templates are hosted on other domains you
control such as http://srv01.assets.example.com/,
http://srv02.assets.example.com/, etc.
and you have an open redirect at
http://myapp.example.com/clickThru?....
Here is what a secure configuration for this scenario might look
like:
angular.module('myApp', []).config(function($sceDelegateProvider) { $sceDelegateProvider.trustedResourceUrlList([ // Allow same origin resource loads. 'self', // Allow loading from our assets domain. Notice the difference between * and **. 'http://srv*.assets.example.com/**' ]);
// The banned resource URL list overrides the trusted resource URL list so the open redirect // here is blocked. $sceDelegateProvider.bannedResourceUrlList([ 'http://myapp.example.com/clickThru**' ]); });
Note that an empty trusted resource URL list will block every
resource URL from being loaded, and will require you to manually
mark each one as trusted with
$sce.trustAsResourceUrl. However, templates requested
by ng.$templateRequest $templateRequest that are present in
ng.$templateCache $templateCache will not go through this check.
If you have a mechanism to populate your templates in that cache
at config time, then it is a good idea to remove 'self' from the
trusted resource URL lsit. This helps to mitigate the security
impact of certain types of issues, like for instance
attacker-controlled ng-includes.
The
$sceDelegateProviderprovider allows developers to configure the ng.$sceDelegate $sceDelegate service, used as a delegate for ng.$sce Strict Contextual Escaping (SCE).The
$sceDelegateProviderallows one to get/set thetrustedResourceUrlListandbannedResourceUrlListused to ensure that the URLs used for sourcing AngularTS templates and other script-running URLs are safe (all places that use the$sce.RESOURCE_URLcontext). See ng.$sceDelegateProvider#trustedResourceUrlList $sceDelegateProvider.trustedResourceUrlList and ng.$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList,For the general details about this service in AngularTS, read the main page for ng.$sce Strict Contextual Escaping (SCE).
Example: Consider the following case.
http://myapp.example.com/http://srv01.assets.example.com/,http://srv02.assets.example.com/, etc.http://myapp.example.com/clickThru?....Here is what a secure configuration for this scenario might look like:
Note that an empty trusted resource URL list will block every resource URL from being loaded, and will require you to manually mark each one as trusted with
$sce.trustAsResourceUrl. However, templates requested by ng.$templateRequest $templateRequest that are present in ng.$templateCache $templateCache will not go through this check. If you have a mechanism to populate your templates in that cache at config time, then it is a good idea to remove 'self' from the trusted resource URL lsit. This helps to mitigate the security impact of certain types of issues, like for instance attacker-controlledng-includes.