The $sceDelegateProvider provider allows developers to configure the ng.$sceDelegate $sceDelegate service, used as a delegate for ng.$sce Strict Contextual Escaping (SCE).
The $sceDelegateProvider allows one to get/set the trustedResourceUrlList and
bannedResourceUrlList used to ensure that the URLs used for sourcing AngularTS templates and
other script-running URLs are safe (all places that use the $sce.RESOURCE_URL context). See
ng.$sceDelegateProvider#trustedResourceUrlList $sceDelegateProvider.trustedResourceUrlList and
ng.$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList,
For the general details about this service in AngularTS, read the main page for ng.$sce Strict Contextual Escaping (SCE).
Example: Consider the following case.
your app is hosted at url http://myapp.example.com/
but some of your templates are hosted on other domains you control such as
http://srv01.assets.example.com/, http://srv02.assets.example.com/, etc.
and you have an open redirect at http://myapp.example.com/clickThru?....
Here is what a secure configuration for this scenario might look like:
angular.module('myApp', []).config(function($sceDelegateProvider) { $sceDelegateProvider.trustedResourceUrlList([ // Allow same origin resource loads. 'self', // Allow loading from our assets domain. Notice the difference between * and **. 'http://srv*.assets.example.com/**' ]);
// The banned resource URL list overrides the trusted resource URL list so the open redirect // here is blocked. $sceDelegateProvider.bannedResourceUrlList([ 'http://myapp.example.com/clickThru**' ]); });
Note that an empty trusted resource URL list will block every resource URL from being loaded, and will require
you to manually mark each one as trusted with $sce.trustAsResourceUrl. However, templates
requested by ng.$templateRequest $templateRequest that are present in
ng.$templateCache $templateCache will not go through this check. If you have a mechanism
to populate your templates in that cache at config time, then it is a good idea to remove 'self'
from the trusted resource URL lsit. This helps to mitigate the security impact of certain types
of issues, like for instance attacker-controlled ng-includes.
The
$sceDelegateProviderprovider allows developers to configure the ng.$sceDelegate $sceDelegate service, used as a delegate for ng.$sce Strict Contextual Escaping (SCE).The
$sceDelegateProviderallows one to get/set thetrustedResourceUrlListandbannedResourceUrlListused to ensure that the URLs used for sourcing AngularTS templates and other script-running URLs are safe (all places that use the$sce.RESOURCE_URLcontext). See ng.$sceDelegateProvider#trustedResourceUrlList $sceDelegateProvider.trustedResourceUrlList and ng.$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList,For the general details about this service in AngularTS, read the main page for ng.$sce Strict Contextual Escaping (SCE).
Example: Consider the following case.
http://myapp.example.com/http://srv01.assets.example.com/,http://srv02.assets.example.com/, etc.http://myapp.example.com/clickThru?....Here is what a secure configuration for this scenario might look like:
Note that an empty trusted resource URL list will block every resource URL from being loaded, and will require you to manually mark each one as trusted with
$sce.trustAsResourceUrl. However, templates requested by ng.$templateRequest $templateRequest that are present in ng.$templateCache $templateCache will not go through this check. If you have a mechanism to populate your templates in that cache at config time, then it is a good idea to remove 'self' from the trusted resource URL lsit. This helps to mitigate the security impact of certain types of issues, like for instance attacker-controlledng-includes.