From a206e2675c351c3cdcde3402978126774c1c5df9 Mon Sep 17 00:00:00 2001 From: Joey Perrott Date: Wed, 23 Sep 2020 10:02:33 -0700 Subject: [PATCH] refactor(sceDelegateProvider): remove usages of whitelist and blacklist Changes resourceUrlWhitelist to trustedResourceUrlList and resourceUrlBlacklist to bannedResourceUrlList, updating references to use this new symbol. For the purposes of backward compatibility, the previous symbols are aliased to their new symbol. --- docs/content/error/$sce/imatcher.ngdoc | 6 +- docs/content/error/$sce/insecurl.ngdoc | 4 +- docs/content/error/$sce/iwcard.ngdoc | 6 +- docs/content/guide/migration.ngdoc | 8 +- src/Angular.js | 2 +- src/ng/compile.js | 4 +- src/ng/directive/ngInclude.js | 6 +- src/ng/http.js | 4 +- src/ng/sce.js | 149 ++++++++++++++----------- test/ng/httpSpec.js | 4 +- test/ng/sceSpecs.js | 71 ++++++------ test/ngRoute/routeSpec.js | 2 +- 12 files changed, 144 insertions(+), 122 deletions(-) diff --git a/docs/content/error/$sce/imatcher.ngdoc b/docs/content/error/$sce/imatcher.ngdoc index ef1e183dadf..c1009f8a292 100644 --- a/docs/content/error/$sce/imatcher.ngdoc +++ b/docs/content/error/$sce/imatcher.ngdoc @@ -3,7 +3,7 @@ @fullName Invalid matcher (only string patterns and RegExp instances are supported) @description -Please see {@link $sceDelegateProvider#resourceUrlWhitelist -$sceDelegateProvider.resourceUrlWhitelist} and {@link -$sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider.resourceUrlBlacklist} for the +Please see {@link $sceDelegateProvider#trustedResourceUrlList +$sceDelegateProvider.trustedResourceUrlList} and {@link +$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList} for the list of acceptable items. diff --git a/docs/content/error/$sce/insecurl.ngdoc b/docs/content/error/$sce/insecurl.ngdoc index fde7e22fb7c..66a419f73f9 100644 --- a/docs/content/error/$sce/insecurl.ngdoc +++ b/docs/content/error/$sce/insecurl.ngdoc @@ -15,8 +15,8 @@ By default, only URLs that belong to the same origin are trusted. These are urls The {@link ng.directive:ngInclude ngInclude} directive and {@link guide/directive directives} that specify a `templateUrl` require a trusted resource URL. To load templates from other domains and/or protocols, either adjust the {@link -ng.$sceDelegateProvider#resourceUrlWhitelist whitelist}/ {@link -ng.$sceDelegateProvider#resourceUrlBlacklist blacklist} or wrap the URL with a call to {@link +ng.$sceDelegateProvider#trustedResourceUrlList trusted resource URL list}/ {@link +ng.$sceDelegateProvider#bannedResourceUrlList banned resource URL list} or wrap the URL with a call to {@link ng.$sce#trustAsResourceUrl $sce.trustAsResourceUrl}. **Note**: The browser's [Same Origin diff --git a/docs/content/error/$sce/iwcard.ngdoc b/docs/content/error/$sce/iwcard.ngdoc index 81b5a3cee19..88f4787fddb 100644 --- a/docs/content/error/$sce/iwcard.ngdoc +++ b/docs/content/error/$sce/iwcard.ngdoc @@ -3,7 +3,7 @@ @fullName The sequence *** is not a valid pattern wildcard @description -The strings in {@link $sceDelegateProvider#resourceUrlWhitelist -$sceDelegateProvider.resourceUrlWhitelist} and {@link -$sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider.resourceUrlBlacklist} may not +The strings in {@link $sceDelegateProvider#trustedResourceUrlList +$sceDelegateProvider.trustedResourceUrlList} and {@link +$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList} may not contain the undefined sequence `***`. Only `*` and `**` wildcard patterns are defined. diff --git a/docs/content/guide/migration.ngdoc b/docs/content/guide/migration.ngdoc index c982677cd3d..5f66551a9d1 100644 --- a/docs/content/guide/migration.ngdoc +++ b/docs/content/guide/migration.ngdoc @@ -1387,12 +1387,12 @@ $http.json('other/trusted/url', {jsonpCallbackParam: 'cb'}); all JSONP requests now require the URL to be trusted as a resource URL. There are two approaches to trust a URL: -1. **Whitelisting with the `$sceDelegateProvider.resourceUrlWhitelist()` method.** +1. **Setting trusted resource URLs with the `$sceDelegateProvider.trustedResourceUrlList()` method.** You configure this list in a module configuration block: ```js appModule.config(['$sceDelegateProvider', function($sceDelegateProvider) { - $sceDelegateProvider.resourceUrlWhitelist([ + $sceDelegateProvider.trustedResourceUrlList([ // Allow same origin resource loads. 'self', // Allow JSONP calls that match this pattern @@ -2662,11 +2662,11 @@ $scope.findTemplate = function(templateName) { return templateCache[templateName]; }; -// Alternatively, use `$sceDelegateProvider.resourceUrlWhitelist()`, which means you don't +// Alternatively, use `$sceDelegateProvider.trustedResourceUrlList()`, which means you don't // have to use `$sce.trustAsResourceUrl()` at all: angular.module('myApp', []).config(function($sceDelegateProvider) { - $sceDelegateProvider.resourceUrlWhitelist(['self', 'https://example.com/templates/**']) + $sceDelegateProvider.trustedResourceUrlList(['self', 'https://example.com/templates/**']) }); ``` diff --git a/src/Angular.js b/src/Angular.js index d7a68ccdb85..9b11090518b 100644 --- a/src/Angular.js +++ b/src/Angular.js @@ -1532,7 +1532,7 @@ function allowAutoBootstrap(document) { link.href = src.value; if (document.location.origin === link.origin) { - // Same-origin resources are always allowed, even for non-whitelisted schemes. + // Same-origin resources are always allowed, even for banned URL schemes. return true; } // Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web. diff --git a/src/ng/compile.js b/src/ng/compile.js index bef1dbb354b..92da37dbb07 100644 --- a/src/ng/compile.js +++ b/src/ng/compile.js @@ -1106,8 +1106,8 @@ * * Based on the context, other options may exist to mark a value as trusted / configure the behavior * of {@link ng.$sce}. For example, to restrict the `RESOURCE_URL` context to specific origins, use - * the {@link $sceDelegateProvider#resourceUrlWhitelist resourceUrlWhitelist()} - * and {@link $sceDelegateProvider#resourceUrlBlacklist resourceUrlBlacklist()}. + * the {@link $sceDelegateProvider#trustedResourceUrlList trustedResourceUrlList()} + * and {@link $sceDelegateProvider#bannedResourceUrlList bannedResourceUrlList()}. * * {@link ng.$sce#what-trusted-context-types-are-supported- Find out more about the different context types}. * diff --git a/src/ng/directive/ngInclude.js b/src/ng/directive/ngInclude.js index b3bfe7dc117..2cdd82c9b1c 100644 --- a/src/ng/directive/ngInclude.js +++ b/src/ng/directive/ngInclude.js @@ -13,9 +13,9 @@ * By default, the template URL is restricted to the same domain and protocol as the * application document. This is done by calling {@link $sce#getTrustedResourceUrl * $sce.getTrustedResourceUrl} on it. To load templates from other domains or protocols - * you may either {@link ng.$sceDelegateProvider#resourceUrlWhitelist whitelist them} or - * {@link $sce#trustAsResourceUrl wrap them} as trusted values. Refer to AngularJS's {@link - * ng.$sce Strict Contextual Escaping}. + * you may either add them to your {@link ng.$sceDelegateProvider#trustedResourceUrlList trusted + * resource URL list} or {@link $sce#trustAsResourceUrl wrap them} as trusted values. Refer to + * AngularJS's {@link ng.$sce Strict Contextual Escaping}. * * In addition, the browser's * [Same Origin Policy](https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_XMLHttpRequest) diff --git a/src/ng/http.js b/src/ng/http.js index 81d150519b5..dcc30b1bc92 100644 --- a/src/ng/http.js +++ b/src/ng/http.js @@ -965,7 +965,7 @@ function $HttpProvider() { angular.module('httpExample', []) .config(['$sceDelegateProvider', function($sceDelegateProvider) { // We must whitelist the JSONP endpoint that we are using to show that we trust it - $sceDelegateProvider.resourceUrlWhitelist([ + $sceDelegateProvider.trustedResourceUrlList([ 'self', 'https://angularjs.org/**' ]); @@ -1223,7 +1223,7 @@ function $HttpProvider() { * Note that, since JSONP requests are sensitive because the response is given full access to the browser, * the url must be declared, via {@link $sce} as a trusted resource URL. * You can trust a URL by adding it to the whitelist via - * {@link $sceDelegateProvider#resourceUrlWhitelist `$sceDelegateProvider.resourceUrlWhitelist`} or + * {@link $sceDelegateProvider#trustedResourceUrlList `$sceDelegateProvider.trustedResourceUrlList`} or * by explicitly trusting the URL via {@link $sce#trustAsResourceUrl `$sce.trustAsResourceUrl(url)`}. * * You should avoid generating the URL for the JSONP request from user provided data. diff --git a/src/ng/sce.js b/src/ng/sce.js index 0ee69fc89d8..c0d18a50197 100644 --- a/src/ng/sce.js +++ b/src/ng/sce.js @@ -118,10 +118,10 @@ function adjustMatchers(matchers) { * The default instance of `$sceDelegate` should work out of the box with little pain. While you * can override it completely to change the behavior of `$sce`, the common case would * involve configuring the {@link ng.$sceDelegateProvider $sceDelegateProvider} instead by setting - * your own whitelists and blacklists for trusting URLs used for loading AngularJS resources such as - * templates. Refer {@link ng.$sceDelegateProvider#resourceUrlWhitelist - * $sceDelegateProvider.resourceUrlWhitelist} and {@link - * ng.$sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider.resourceUrlBlacklist} + * your own trusted and banned resource lists for trusting URLs used for loading AngularJS resources + * such as templates. Refer {@link ng.$sceDelegateProvider#trustedResourceUrlList + * $sceDelegateProvider.trustedResourceUrlList} and {@link + * ng.$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList} */ /** @@ -134,12 +134,12 @@ function adjustMatchers(matchers) { * The `$sceDelegateProvider` provider allows developers to configure the {@link ng.$sceDelegate * $sceDelegate service}, used as a delegate for {@link ng.$sce Strict Contextual Escaping (SCE)}. * - * The `$sceDelegateProvider` allows one to get/set the whitelists and blacklists used to ensure - * that the URLs used for sourcing AngularJS templates and other script-running URLs are safe (all - * places that use the `$sce.RESOURCE_URL` context). See - * {@link ng.$sceDelegateProvider#resourceUrlWhitelist $sceDelegateProvider.resourceUrlWhitelist} - * and - * {@link ng.$sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider.resourceUrlBlacklist}, + * The `$sceDelegateProvider` allows one to get/set the `trustedResourceUrlList` and + * `bannedResourceUrlList` used to ensure that the URLs used for sourcing AngularJS templates and + * other script-running URLs are safe (all places that use the `$sce.RESOURCE_URL` context). See + * {@link ng.$sceDelegateProvider#trustedResourceUrlList + * $sceDelegateProvider.trustedResourceUrlList} and + * {@link ng.$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList}, * * For the general details about this service in AngularJS, read the main page for {@link ng.$sce * Strict Contextual Escaping (SCE)}. @@ -155,98 +155,121 @@ function adjustMatchers(matchers) { * * ``` * angular.module('myApp', []).config(function($sceDelegateProvider) { - * $sceDelegateProvider.resourceUrlWhitelist([ + * $sceDelegateProvider.trustedResourceUrlList([ * // Allow same origin resource loads. * 'self', * // Allow loading from our assets domain. Notice the difference between * and **. * 'http://srv*.assets.example.com/**' * ]); * - * // The blacklist overrides the whitelist so the open redirect here is blocked. - * $sceDelegateProvider.resourceUrlBlacklist([ + * // The banned resource URL list overrides the trusted resource URL list so the open redirect + * // here is blocked. + * $sceDelegateProvider.bannedResourceUrlList([ * 'http://myapp.example.com/clickThru**' * ]); * }); * ``` - * Note that an empty whitelist will block every resource URL from being loaded, and will require + * Note that an empty trusted resource URL list will block every resource URL from being loaded, and will require * you to manually mark each one as trusted with `$sce.trustAsResourceUrl`. However, templates * requested by {@link ng.$templateRequest $templateRequest} that are present in * {@link ng.$templateCache $templateCache} will not go through this check. If you have a mechanism * to populate your templates in that cache at config time, then it is a good idea to remove 'self' - * from that whitelist. This helps to mitigate the security impact of certain types of issues, like - * for instance attacker-controlled `ng-includes`. + * from the trusted resource URL lsit. This helps to mitigate the security impact of certain types + * of issues, like for instance attacker-controlled `ng-includes`. */ function $SceDelegateProvider() { this.SCE_CONTEXTS = SCE_CONTEXTS; // Resource URLs can also be trusted by policy. - var resourceUrlWhitelist = ['self'], - resourceUrlBlacklist = []; + var trustedResourceUrlList = ['self'], + bannedResourceUrlList = []; /** * @ngdoc method - * @name $sceDelegateProvider#resourceUrlWhitelist + * @name $sceDelegateProvider#trustedResourceUrlList * @kind function * - * @param {Array=} whitelist When provided, replaces the resourceUrlWhitelist with the value - * provided. This must be an array or null. A snapshot of this array is used so further - * changes to the array are ignored. + * @param {Array=} trustedResourceUrlList When provided, replaces the trustedResourceUrlList with + * the value provided. This must be an array or null. A snapshot of this array is used so + * further changes to the array are ignored. * Follow {@link ng.$sce#resourceUrlPatternItem this link} for a description of the items * allowed in this array. * - * @return {Array} The currently set whitelist array. + * @return {Array} The currently set trusted resource URL array. * * @description - * Sets/Gets the whitelist of trusted resource URLs. + * Sets/Gets the list trusted of resource URLs. * - * The **default value** when no whitelist has been explicitly set is `['self']` allowing only - * same origin resource requests. + * The **default value** when no `trustedResourceUrlList` has been explicitly set is `['self']` + * allowing only same origin resource requests. * *
- * **Note:** the default whitelist of 'self' is not recommended if your app shares its origin - * with other apps! It is a good idea to limit it to only your application's directory. + * **Note:** the default `trustedResourceUrlList` of 'self' is not recommended if your app shares + * its origin with other apps! It is a good idea to limit it to only your application's directory. *
*/ - this.resourceUrlWhitelist = function(value) { + this.trustedResourceUrlList = function(value) { if (arguments.length) { - resourceUrlWhitelist = adjustMatchers(value); + trustedResourceUrlList = adjustMatchers(value); } - return resourceUrlWhitelist; + return trustedResourceUrlList; }; + this.resourceUrlWhitelist = this.trustedResourceUrlList; /** * @ngdoc method - * @name $sceDelegateProvider#resourceUrlBlacklist + * @name $sceDelegateProvider#bannedResourceUrlList * @kind function * - * @param {Array=} blacklist When provided, replaces the resourceUrlBlacklist with the value - * provided. This must be an array or null. A snapshot of this array is used so further - * changes to the array are ignored.

+ * @param {Array=} bannedResourceUrlList When provided, replaces the `bannedResourceUrlList` with + * the value provided. This must be an array or null. A snapshot of this array is used so + * further changes to the array are ignored.

* Follow {@link ng.$sce#resourceUrlPatternItem this link} for a description of the items * allowed in this array.

- * The typical usage for the blacklist is to **block + * The typical usage for the `bannedResourceUrlList` is to **block * [open redirects](http://cwe.mitre.org/data/definitions/601.html)** served by your domain as * these would otherwise be trusted but actually return content from the redirected domain. *

- * Finally, **the blacklist overrides the whitelist** and has the final say. + * Finally, **the banned resource URL list overrides the trusted resource URL list** and has + * the final say. * - * @return {Array} The currently set blacklist array. + * @return {Array} The currently set `bannedResourceUrlList` array. * * @description - * Sets/Gets the blacklist of trusted resource URLs. + * Sets/Gets the `bannedResourceUrlList` of trusted resource URLs. * - * The **default value** when no whitelist has been explicitly set is the empty array (i.e. there - * is no blacklist.) + * The **default value** when no trusted resource URL list has been explicitly set is the empty + * array (i.e. there is no `bannedResourceUrlList`.) */ - this.resourceUrlBlacklist = function(value) { + this.bannedResourceUrlList = function(value) { if (arguments.length) { - resourceUrlBlacklist = adjustMatchers(value); + bannedResourceUrlList = adjustMatchers(value); } - return resourceUrlBlacklist; + return bannedResourceUrlList; }; + /** + * @ngdoc method + * @name $sceDelegateProvider#resourceUrlBlacklist + * @kind function + * + * @deprecated + * sinceVersion="1.8.1" + * + * This function is deprecated. Use {@link $sceDelegateProvider#bannedResourceUrlList + * bannedResourceUrlList} instead. + */ + Object.defineProperty(this, 'resourceUrlBlacklist', { + get: function() { + return this.bannedResourceUrlList; + }, + set: function(value) { + this.bannedResourceUrlList = value; + } + }); + this.$get = ['$injector', '$$sanitizeUri', function($injector, $$sanitizeUri) { var htmlSanitizer = function htmlSanitizer(html) { @@ -270,17 +293,17 @@ function $SceDelegateProvider() { function isResourceUrlAllowedByPolicy(url) { var parsedUrl = urlResolve(url.toString()); var i, n, allowed = false; - // Ensure that at least one item from the whitelist allows this url. - for (i = 0, n = resourceUrlWhitelist.length; i < n; i++) { - if (matchUrl(resourceUrlWhitelist[i], parsedUrl)) { + // Ensure that at least one item from the trusted resource URL list allows this url. + for (i = 0, n = trustedResourceUrlList.length; i < n; i++) { + if (matchUrl(trustedResourceUrlList[i], parsedUrl)) { allowed = true; break; } } if (allowed) { - // Ensure that no item from the blacklist blocked this url. - for (i = 0, n = resourceUrlBlacklist.length; i < n; i++) { - if (matchUrl(resourceUrlBlacklist[i], parsedUrl)) { + // Ensure that no item from the banned resource URL list has blocked this url. + for (i = 0, n = bannedResourceUrlList.length; i < n; i++) { + if (matchUrl(bannedResourceUrlList[i], parsedUrl)) { allowed = false; break; } @@ -401,9 +424,9 @@ function $SceDelegateProvider() { * The contexts that can be sanitized are $sce.MEDIA_URL, $sce.URL and $sce.HTML. The first two are available * by default, and the third one relies on the `$sanitize` service (which may be loaded through * the `ngSanitize` module). Furthermore, for $sce.RESOURCE_URL context, a plain string may be - * accepted if the resource url policy defined by {@link ng.$sceDelegateProvider#resourceUrlWhitelist - * `$sceDelegateProvider.resourceUrlWhitelist`} and {@link ng.$sceDelegateProvider#resourceUrlBlacklist - * `$sceDelegateProvider.resourceUrlBlacklist`} accepts that resource. + * accepted if the resource url policy defined by {@link ng.$sceDelegateProvider#trustedResourceUrlList + * `$sceDelegateProvider.trustedResourceUrlList`} and {@link ng.$sceDelegateProvider#bannedResourceUrlList + * `$sceDelegateProvider.bannedResourceUrlList`} accepts that resource. * * This function will throw if the safe type isn't appropriate for this context, or if the * value given cannot be accepted in the context (which might be caused by sanitization not @@ -497,9 +520,9 @@ function $SceDelegateProvider() { * * To systematically block XSS security bugs, AngularJS treats all values as untrusted by default in * HTML or sensitive URL bindings. When binding untrusted values, AngularJS will automatically - * run security checks on them (sanitizations, whitelists, depending on context), or throw when it - * cannot guarantee the security of the result. That behavior depends strongly on contexts: HTML - * can be sanitized, but template URLs cannot, for instance. + * run security checks on them (sanitizations, trusted URL resource, depending on context), or throw + * when it cannot guarantee the security of the result. That behavior depends strongly on contexts: + * HTML can be sanitized, but template URLs cannot, for instance. * * To illustrate this, consider the `ng-bind-html` directive. It renders its value directly as HTML: * we call that the *context*. When given an untrusted input, AngularJS will attempt to sanitize it @@ -578,8 +601,8 @@ function $SceDelegateProvider() { * By default, AngularJS only loads templates from the same domain and protocol as the application * document. This is done by calling {@link ng.$sce#getTrustedResourceUrl * $sce.getTrustedResourceUrl} on the template URL. To load templates from other domains and/or - * protocols, you may either {@link ng.$sceDelegateProvider#resourceUrlWhitelist whitelist - * them} or {@link ng.$sce#trustAsResourceUrl wrap it} into a trusted value. + * protocols, you may either add them to the {@link ng.$sceDelegateProvider#trustedResourceUrlList + * trustedResourceUrlList} or {@link ng.$sce#trustAsResourceUrl wrap them} into trusted values. * * *Please note*: * The browser's @@ -607,8 +630,8 @@ function $SceDelegateProvider() { * templates in `ng-include` from your application's domain without having to even know about SCE. * It blocks loading templates from other domains or loading templates over http from an https * served document. You can change these by setting your own custom {@link - * ng.$sceDelegateProvider#resourceUrlWhitelist whitelists} and {@link - * ng.$sceDelegateProvider#resourceUrlBlacklist blacklists} for matching such URLs. + * ng.$sceDelegateProvider#trustedResourceUrlList trusted resource URL list} and {@link + * ng.$sceDelegateProvider#bannedResourceUrlList banned resource URL list} for matching such URLs. * * This significantly reduces the overhead. It is far easier to pay the small overhead and have an * application that's secure and can be audited to verify that with much more ease than bolting @@ -623,7 +646,7 @@ function $SceDelegateProvider() { * | `$sce.CSS` | For CSS that's safe to source into the application. Currently unused. Feel free to use it in your own directives. | * | `$sce.MEDIA_URL` | For URLs that are safe to render as media. Is automatically converted from string by sanitizing when needed. | * | `$sce.URL` | For URLs that are safe to follow as links. Is automatically converted from string by sanitizing when needed. Note that `$sce.URL` makes a stronger statement about the URL than `$sce.MEDIA_URL` does and therefore contexts requiring values trusted for `$sce.URL` can be used anywhere that values trusted for `$sce.MEDIA_URL` are required.| - * | `$sce.RESOURCE_URL` | For URLs that are not only safe to follow as links, but whose contents are also safe to include in your application. Examples include `ng-include`, `src` / `ngSrc` bindings for tags other than `IMG` (e.g. `IFRAME`, `OBJECT`, etc.)

Note that `$sce.RESOURCE_URL` makes a stronger statement about the URL than `$sce.URL` or `$sce.MEDIA_URL` do and therefore contexts requiring values trusted for `$sce.RESOURCE_URL` can be used anywhere that values trusted for `$sce.URL` or `$sce.MEDIA_URL` are required.

The {@link $sceDelegateProvider#resourceUrlWhitelist $sceDelegateProvider#resourceUrlWhitelist()} and {@link $sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider#resourceUrlBlacklist()} can be used to restrict trusted origins for `RESOURCE_URL` | + * | `$sce.RESOURCE_URL` | For URLs that are not only safe to follow as links, but whose contents are also safe to include in your application. Examples include `ng-include`, `src` / `ngSrc` bindings for tags other than `IMG` (e.g. `IFRAME`, `OBJECT`, etc.)

Note that `$sce.RESOURCE_URL` makes a stronger statement about the URL than `$sce.URL` or `$sce.MEDIA_URL` do and therefore contexts requiring values trusted for `$sce.RESOURCE_URL` can be used anywhere that values trusted for `$sce.URL` or `$sce.MEDIA_URL` are required.

The {@link $sceDelegateProvider#trustedResourceUrlList $sceDelegateProvider#trustedResourceUrlList()} and {@link $sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider#bannedResourceUrlList()} can be used to restrict trusted origins for `RESOURCE_URL` | * | `$sce.JS` | For JavaScript that is safe to execute in your application's context. Currently unused. Feel free to use it in your own directives. | * * @@ -641,7 +664,7 @@ function $SceDelegateProvider() { * There are no CSS or JS context bindings in AngularJS currently, so their corresponding `$sce.trustAs` * functions aren't useful yet. This might evolve. * - * ### Format of items in {@link ng.$sceDelegateProvider#resourceUrlWhitelist resourceUrlWhitelist}/{@link ng.$sceDelegateProvider#resourceUrlBlacklist Blacklist} + * ### Format of items in {@link ng.$sceDelegateProvider#trustedResourceUrlList trustedResourceUrlList}/{@link ng.$sceDelegateProvider#bannedResourceUrlList bannedResourceUrlList} * * Each element in these arrays must be one of the following: * @@ -655,7 +678,7 @@ function $SceDelegateProvider() { * match themselves. * - `*`: matches zero or more occurrences of any character other than one of the following 6 * characters: '`:`', '`/`', '`.`', '`?`', '`&`' and '`;`'. It's a useful wildcard for use - * in a whitelist. + * for matching resource URL lists. * - `**`: matches zero or more occurrences of *any* character. As such, it's not * appropriate for use in a scheme, domain, etc. as it would match too much. (e.g. * http://**.example.com/ would match http://evil.com/?ignore=.example.com/ and that might diff --git a/test/ng/httpSpec.js b/test/ng/httpSpec.js index 065d93ac439..d0c994670b4 100644 --- a/test/ng/httpSpec.js +++ b/test/ng/httpSpec.js @@ -288,8 +288,8 @@ describe('$http', function() { var $httpBackend, $http, $rootScope, $sce; beforeEach(module(function($sceDelegateProvider) { - // Setup a special whitelisted url that we can use in testing JSONP requests - $sceDelegateProvider.resourceUrlWhitelist(['http://special.whitelisted.resource.com/**']); + // Setup a special trusted url that we can use in testing JSONP requests + $sceDelegateProvider.trustedResourceUrlList(['http://special.trusted.resource.com/**']); })); beforeEach(inject(['$httpBackend', '$http', '$rootScope', '$sce', function($hb, $h, $rs, $sc) { diff --git a/test/ng/sceSpecs.js b/test/ng/sceSpecs.js index fb169925c9f..a852b17ceda 100644 --- a/test/ng/sceSpecs.js +++ b/test/ng/sceSpecs.js @@ -309,11 +309,11 @@ describe('SCE', function() { function runTest(cfg, testFn) { return function() { module(function($sceDelegateProvider) { - if (isDefined(cfg.whiteList)) { - $sceDelegateProvider.resourceUrlWhitelist(cfg.whiteList); + if (isDefined(cfg.trustedUrls)) { + $sceDelegateProvider.trustedResourceUrlList(cfg.trustedUrls); } - if (isDefined(cfg.blackList)) { - $sceDelegateProvider.resourceUrlBlacklist(cfg.blackList); + if (isDefined(cfg.bannedUrls)) { + $sceDelegateProvider.bannedResourceUrlList(cfg.bannedUrls); } }); inject(testFn); @@ -324,10 +324,10 @@ describe('SCE', function() { expect($sce.getTrustedResourceUrl('foo/bar')).toEqual('foo/bar'); })); - it('should reject everything when whitelist is empty', runTest( + it('should reject everything when trusted resource URL list is empty', runTest( { - whiteList: [], - blackList: [] + trustedUrls: [], + bannedUrls: [] }, function($sce) { expect(function() { $sce.getTrustedResourceUrl('#'); }).toThrowMinErr( '$sce', 'insecurl', 'Blocked loading resource from url not allowed by $sceDelegate policy. URL: #'); @@ -336,8 +336,8 @@ describe('SCE', function() { it('should match against normalized urls', runTest( { - whiteList: [/^foo$/], - blackList: [] + trustedUrls: [/^foo$/], + bannedUrls: [] }, function($sce) { expect(function() { $sce.getTrustedResourceUrl('foo'); }).toThrowMinErr( '$sce', 'insecurl', 'Blocked loading resource from url not allowed by $sceDelegate policy. URL: foo'); @@ -346,7 +346,7 @@ describe('SCE', function() { it('should not accept unknown matcher type', function() { expect(function() { - runTest({whiteList: [{}]}, null)(); + runTest({trustedUrls: [{}]}, null)(); }).toThrowMinErr('$injector', 'modulerr', new RegExp( /Failed to instantiate module function ?\(\$sceDelegateProvider\) due to:\n/.source + /[^[]*\[\$sce:imatcher] Matchers may only be "self", string patterns or RegExp objects/.source)); @@ -370,8 +370,8 @@ describe('SCE', function() { describe('regex matcher', function() { it('should support custom regex', runTest( { - whiteList: [/^http:\/\/example\.com\/.*/], - blackList: [] + trustedUrls: [/^http:\/\/example\.com\/.*/], + bannedUrls: [] }, function($sce) { expect($sce.getTrustedResourceUrl('http://example.com/foo')).toEqual('http://example.com/foo'); // must match entire regex @@ -385,8 +385,8 @@ describe('SCE', function() { it('should match entire regex', runTest( { - whiteList: [/https?:\/\/example\.com\/foo/], - blackList: [] + trustedUrls: [/https?:\/\/example\.com\/foo/], + bannedUrls: [] }, function($sce) { expect($sce.getTrustedResourceUrl('http://example.com/foo')).toEqual('http://example.com/foo'); expect($sce.getTrustedResourceUrl('https://example.com/foo')).toEqual('https://example.com/foo'); @@ -405,8 +405,8 @@ describe('SCE', function() { describe('string matchers', function() { it('should support strings as matchers', runTest( { - whiteList: ['http://example.com/foo'], - blackList: [] + trustedUrls: ['http://example.com/foo'], + bannedUrls: [] }, function($sce) { expect($sce.getTrustedResourceUrl('http://example.com/foo')).toEqual('http://example.com/foo'); // "." is not a special character like in a regex. @@ -423,8 +423,8 @@ describe('SCE', function() { it('should support the * wildcard', runTest( { - whiteList: ['http://example.com/foo*'], - blackList: [] + trustedUrls: ['http://example.com/foo*'], + bannedUrls: [] }, function($sce) { expect($sce.getTrustedResourceUrl('http://example.com/foo')).toEqual('http://example.com/foo'); // The * wildcard should match extra characters. @@ -452,8 +452,8 @@ describe('SCE', function() { it('should support the ** wildcard', runTest( { - whiteList: ['http://example.com/foo**'], - blackList: [] + trustedUrls: ['http://example.com/foo**'], + bannedUrls: [] }, function($sce) { expect($sce.getTrustedResourceUrl('http://example.com/foo')).toEqual('http://example.com/foo'); // The ** wildcard should match extra characters. @@ -465,7 +465,7 @@ describe('SCE', function() { it('should not accept *** in the string', function() { expect(function() { - runTest({whiteList: ['http://***']}, null)(); + runTest({trustedUrls: ['http://***']}, null)(); }).toThrowMinErr('$injector', 'modulerr', new RegExp( /Failed to instantiate module function ?\(\$sceDelegateProvider\) due to:\n/.source + /[^[]*\[\$sce:iwcard] Illegal sequence \*\*\* in string matcher\. {2}String: http:\/\/\*\*\*/.source)); @@ -473,19 +473,19 @@ describe('SCE', function() { }); describe('"self" matcher', function() { - it('should support the special string "self" in whitelist', runTest( + it('should support the special string "self" in trusted resource URL list', runTest( { - whiteList: ['self'], - blackList: [] + trustedUrls: ['self'], + bannedUrls: [] }, function($sce) { expect($sce.getTrustedResourceUrl('foo')).toEqual('foo'); } )); - it('should support the special string "self" in blacklist', runTest( + it('should support the special string "self" in baneed resource URL list', runTest( { - whiteList: [/.*/], - blackList: ['self'] + trustedUrls: [/.*/], + bannedUrls: ['self'] }, function($sce) { expect(function() { $sce.getTrustedResourceUrl('foo'); }).toThrowMinErr( '$sce', 'insecurl', 'Blocked loading resource from url not allowed by $sceDelegate policy. URL: foo'); @@ -494,7 +494,7 @@ describe('SCE', function() { describe('when the document base URL has changed', function() { var baseElem; - var cfg = {whitelist: ['self'], blacklist: []}; + var cfg = {trustedUrls: ['self'], bannedUrls: []}; beforeEach(function() { baseElem = window.document.createElement('BASE'); @@ -526,10 +526,10 @@ describe('SCE', function() { }); }); - it('should have blacklist override the whitelist', runTest( + it('should have the banned resource URL list override the trusted resource URL list', runTest( { - whiteList: ['self'], - blackList: ['self'] + trustedUrls: ['self'], + bannedUrls: ['self'] }, function($sce) { expect(function() { $sce.getTrustedResourceUrl('foo'); }).toThrowMinErr( '$sce', 'insecurl', 'Blocked loading resource from url not allowed by $sceDelegate policy. URL: foo'); @@ -538,8 +538,8 @@ describe('SCE', function() { it('should support multiple items in both lists', runTest( { - whiteList: [/^http:\/\/example.com\/1$/, /^http:\/\/example.com\/2$/, /^http:\/\/example.com\/3$/, 'self'], - blackList: [/^http:\/\/example.com\/3$/, /.*\/open_redirect/] + trustedUrls: [/^http:\/\/example.com\/1$/, /^http:\/\/example.com\/2$/, /^http:\/\/example.com\/3$/, 'self'], + bannedUrls: [/^http:\/\/example.com\/3$/, /.*\/open_redirect/] }, function($sce) { expect($sce.getTrustedResourceUrl('same_domain')).toEqual('same_domain'); expect($sce.getTrustedResourceUrl('http://example.com/1')).toEqual('http://example.com/1'); @@ -553,12 +553,12 @@ describe('SCE', function() { }); describe('URL-context sanitization', function() { - it('should sanitize values that are not whitelisted', inject(function($sce) { + it('should sanitize values that are not found in the trusted resource URL list', inject(function($sce) { expect($sce.getTrustedMediaUrl('javascript:foo')).toEqual('unsafe:javascript:foo'); expect($sce.getTrustedUrl('javascript:foo')).toEqual('unsafe:javascript:foo'); })); - it('should not sanitize values that are whitelisted', inject(function($sce) { + it('should not sanitize values that are found in the trusted resource URL list', inject(function($sce) { expect($sce.getTrustedMediaUrl('http://example.com')).toEqual('http://example.com'); expect($sce.getTrustedUrl('http://example.com')).toEqual('http://example.com'); })); @@ -620,4 +620,3 @@ describe('SCE', function() { }); }); }); - diff --git a/test/ngRoute/routeSpec.js b/test/ngRoute/routeSpec.js index cdf755f42e1..fa31d412465 100644 --- a/test/ngRoute/routeSpec.js +++ b/test/ngRoute/routeSpec.js @@ -803,7 +803,7 @@ describe('$route', function() { it('should load cross domain templates that are trusted', function() { module(function($routeProvider, $sceDelegateProvider) { $routeProvider.when('/foo', { templateUrl: 'http://example.com/foo.html' }); - $sceDelegateProvider.resourceUrlWhitelist([/^http:\/\/example\.com\/foo\.html$/]); + $sceDelegateProvider.trustedResourceUrlList([/^http:\/\/example\.com\/foo\.html$/]); }); inject(function($route, $location, $rootScope) {