AngularTS
    Preparing search index...

    Class SceDelegateProvider

    The $sceDelegateProvider provider allows developers to configure the ng.$sceDelegate $sceDelegate service, used as a delegate for ng.$sce Strict Contextual Escaping (SCE).

    The $sceDelegateProvider allows one to get/set the trustedResourceUrlList and bannedResourceUrlList used to ensure that the URLs used for sourcing AngularTS templates and other script-running URLs are safe (all places that use the $sce.RESOURCE_URL context). See ng.$sceDelegateProvider#trustedResourceUrlList $sceDelegateProvider.trustedResourceUrlList and ng.$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList,

    For the general details about this service in AngularTS, read the main page for ng.$sce Strict Contextual Escaping (SCE).

    Example: Consider the following case.

    • your app is hosted at url http://myapp.example.com/
    • but some of your templates are hosted on other domains you control such as http://srv01.assets.example.com/, http://srv02.assets.example.com/, etc.
    • and you have an open redirect at http://myapp.example.com/clickThru?....

    Here is what a secure configuration for this scenario might look like:

     angular.module('myApp', []).config(function($sceDelegateProvider) {
    $sceDelegateProvider.trustedResourceUrlList([
    // Allow same origin resource loads.
    'self',
    // Allow loading from our assets domain. Notice the difference between * and **.
    'http://srv*.assets.example.com/**'
    ]);

    // The banned resource URL list overrides the trusted resource URL list so the open redirect
    // here is blocked.
    $sceDelegateProvider.bannedResourceUrlList([
    'http://myapp.example.com/clickThru**'
    ]);
    });

    Note that an empty trusted resource URL list will block every resource URL from being loaded, and will require you to manually mark each one as trusted with $sce.trustAsResourceUrl. However, templates requested by ng.$templateRequest $templateRequest that are present in ng.$templateCache $templateCache will not go through this check. If you have a mechanism to populate your templates in that cache at config time, then it is a good idea to remove 'self' from the trusted resource URL lsit. This helps to mitigate the security impact of certain types of issues, like for instance attacker-controlled ng-includes.

    Implements

    • UriSanitizationConfig
    Index

    Constructors

    Properties

    $get: [
        string,
        string,
        string,
        (
            $injector: InjectorService,
            $window: Window,
            $exceptionHandler: ExceptionHandler,
        ) => SceDelegateService,
    ]
    aHrefSanitizationTrustedUrlList: (
        regexp?: RegExp,
    ) => RegExp | SceDelegateProvider

    Retrieves or overrides the regular expression used to trust safe URLs for a[href] sanitization.

    bannedResourceUrlList: (value?: SceMatcher[] | null) => SceMatcher[]
    imgSrcSanitizationTrustedUrlList: (
        regexp?: RegExp,
    ) => RegExp | SceDelegateProvider

    Retrieves or overrides the regular expression used to trust safe URLs for media source sanitization.

    trustedResourceUrlList: (value?: SceMatcher[] | null) => SceMatcher[]