The $sceDelegateProvider
provider allows developers to configure the $sceDelegate service. This allows one to get/set the whitelists and blacklists used to ensure that the URLs used for sourcing Angular templates are safe. Refer $sceDelegateProvider.resourceUrlWhitelist and $sceDelegateProvider.resourceUrlBlacklist
For the general details about this service in Angular, read the main page for Strict Contextual Escaping (SCE).
Example: Consider the following case.
http://myapp.example.com/
http://srv01.assets.example.com/
, http://srv02.assets.example.com/
, etc.http://myapp.example.com/clickThru?...
.Here is what a secure configuration for this scenario might look like:
angular.module('myApp', []).config(function($sceDelegateProvider) { $sceDelegateProvider.resourceUrlWhitelist([ // Allow same origin resource loads. 'self', // Allow loading from our assets domain. Notice the difference between * and **. 'http://srv*.assets.example.com/**' ]); // The blacklist overrides the whitelist so the open redirect here is blocked. $sceDelegateProvider.resourceUrlBlacklist([ 'http://myapp.example.com/clickThru**' ]); });
Sets/Gets the whitelist of trusted resource URLs.
Param | Type | Details |
---|---|---|
whitelist (optional) | Array | When provided, replaces the resourceUrlWhitelist with the value provided. This must be an array or null. A snapshot of this array is used so further changes to the array are ignored. Follow this link for a description of the items allowed in this array. Note: **an empty whitelist array will block all URLs**! |
Array |
the currently set whitelist array. The default value when no whitelist has been explicitly set is |
Sets/Gets the blacklist of trusted resource URLs.
Param | Type | Details |
---|---|---|
blacklist (optional) | Array | When provided, replaces the resourceUrlBlacklist with the value provided. This must be an array or null. A snapshot of this array is used so further changes to the array are ignored. Follow this link for a description of the items allowed in this array. The typical usage for the blacklist is to **block [open redirects](http://cwe.mitre.org/data/definitions/601.html)** served by your domain as these would otherwise be trusted but actually return content from the redirected domain. Finally, **the blacklist overrides the whitelist** and has the final say. |
Array |
the currently set blacklist array. The default value when no whitelist has been explicitly set is the empty array (i.e. there is no blacklist.) |
© 2010–2016 Google, Inc.
Licensed under the Creative Commons Attribution License 4.0.
https://code.angularjs.org/1.3.20/docs/api/ng/provider/$sceDelegateProvider