The $sceDelegateProvider provider allows developers to configure the $sceDelegate service, used as a delegate for Strict Contextual Escaping (SCE).
The $sceDelegateProvider allows one to get/set the whitelists and blacklists used to ensure
that the URLs used for sourcing AngularJS templates and other script-running URLs are safe (all
places that use the $sce.RESOURCE_URL context). See
$sceDelegateProvider.resourceUrlWhitelist
and
$sceDelegateProvider.resourceUrlBlacklist,
For the general details about this service in AngularJS, read the main page for Strict Contextual Escaping (SCE).
Example: Consider the following case.
http://myapp.example.com/http://srv01.assets.example.com/, http://srv02.assets.example.com/, etc.http://myapp.example.com/clickThru?....Here is what a secure configuration for this scenario might look like:
angular.module('myApp', []).config(function($sceDelegateProvider) {
$sceDelegateProvider.resourceUrlWhitelist([
// Allow same origin resource loads.
'self',
// Allow loading from our assets domain. Notice the difference between * and **.
'http://srv*.assets.example.com/**'
]);
// The blacklist overrides the whitelist so the open redirect here is blocked.
$sceDelegateProvider.resourceUrlBlacklist([
'http://myapp.example.com/clickThru**'
]);
});
Note that an empty whitelist will block every resource URL from being loaded, and will require
you to manually mark each one as trusted with $sce.trustAsResourceUrl. However, templates
requested by $templateRequest that are present in
$templateCache will not go through this check. If you have a mechanism
to populate your templates in that cache at config time, then it is a good idea to remove 'self'
from that whitelist. This helps to mitigate the security impact of certain types of issues, like
for instance attacker-controlled ng-includes.
resourceUrlWhitelist([whitelist]);
Sets/Gets the whitelist of trusted resource URLs.
The default value when no whitelist has been explicitly set is ['self'] allowing only
same origin resource requests.
| Param | Type | Details |
|---|---|---|
|
whitelist
(optional)
|
Array |
When provided, replaces the resourceUrlWhitelist with the value provided. This must be an array or null. A snapshot of this array is used so further changes to the array are ignored. Follow this link for a description of the items allowed in this array. |
| Array | The currently set whitelist array. |
resourceUrlBlacklist([blacklist]);
Sets/Gets the blacklist of trusted resource URLs.
The default value when no whitelist has been explicitly set is the empty array (i.e. there is no blacklist.)
| Param | Type | Details |
|---|---|---|
|
blacklist
(optional)
|
Array |
When provided, replaces the resourceUrlBlacklist with the value provided. This must be an array or null. A snapshot of this array is used so further changes to the array are ignored. Follow this link for a description of the items allowed in this array. The typical usage for the blacklist is to block open redirects served by your domain as these would otherwise be trusted but actually return content from the redirected domain. Finally, the blacklist overrides the whitelist and has the final say. |
| Array | The currently set blacklist array. |