W3cubDocs

Improve this Doc View Source $sceDelegateProvider

$sceDelegate
provider in module ng

The $sceDelegateProvider provider allows developers to configure the $sceDelegate service. This allows one to get/set the whitelists and blacklists used to ensure that the URLs used for sourcing Angular templates are safe. Refer $sceDelegateProvider.resourceUrlWhitelist and $sceDelegateProvider.resourceUrlBlacklist

For the general details about this service in Angular, read the main page for Strict Contextual Escaping (SCE).

Example: Consider the following case.

your app is hosted at url http://myapp.example.com/
but some of your templates are hosted on other domains you control such as http://srv01.assets.example.com/, http://srv02.assets.example.com/, etc.
and you have an open redirect at http://myapp.example.com/clickThru?....

Here is what a secure configuration for this scenario might look like:

angular.module('myApp', []).config(function($sceDelegateProvider) {
  $sceDelegateProvider.resourceUrlWhitelist([
    // Allow same origin resource loads.
    'self',
    // Allow loading from our assets domain.  Notice the difference between * and **.
    'http://srv*.assets.example.com/**'
  ]);

  // The blacklist overrides the whitelist so the open redirect here is blocked.
  $sceDelegateProvider.resourceUrlBlacklist([
    'http://myapp.example.com/clickThru**'
  ]);
});

Methods

resourceUrlWhitelist([whitelist]);

Sets/Gets the whitelist of trusted resource URLs.

Parameters

Param Type Details

Param	Type	Details
whitelist (optional)	`Array`	When provided, replaces the resourceUrlWhitelist with the value provided. This must be an array or null. A snapshot of this array is used so further changes to the array are ignored. Follow this link for a description of the items allowed in this array. Note: an empty whitelist array will block all URLs!

whitelist

(optional)

Array

When provided, replaces the resourceUrlWhitelist with the value provided. This must be an array or null. A snapshot of this array is used so further changes to the array are ignored.

Follow this link for a description of the items
allowed in this array.

Note: **an empty whitelist array will block all URLs**!

Returns

Array

the currently set whitelist array.

The default value when no whitelist has been explicitly set is ['self'] allowing only same origin resource requests.

resourceUrlBlacklist([blacklist]);

Sets/Gets the blacklist of trusted resource URLs.

Parameters

Param Type Details

Param	Type	Details
blacklist (optional)	`Array`	When provided, replaces the resourceUrlBlacklist with the value provided. This must be an array or null. A snapshot of this array is used so further changes to the array are ignored. Follow this link for a description of the items allowed in this array. The typical usage for the blacklist is to block [open redirects](http://cwe.mitre.org/data/definitions/601.html) served by your domain as these would otherwise be trusted but actually return content from the redirected domain. Finally, the blacklist overrides the whitelist and has the final say.

blacklist

(optional)

Array

When provided, replaces the resourceUrlBlacklist with the value provided. This must be an array or null. A snapshot of this array is used so further changes to the array are ignored.

Follow this link for a description of the items
allowed in this array.

The typical usage for the blacklist is to **block
[open redirects](http://cwe.mitre.org/data/definitions/601.html)** served by your domain as
these would otherwise be trusted but actually return content from the redirected domain.

Finally, **the blacklist overrides the whitelist** and has the final say.

Returns

Array

the currently set blacklist array.

The default value when no whitelist has been explicitly set is the empty array (i.e. there is no blacklist.)

© 2010–2016 Google, Inc.
Licensed under the Creative Commons Attribution License 4.0.
https://code.angularjs.org/1.2.32/docs/api/ng/provider/$sceDelegateProvider