* @ngdoc provider * @name $sceDelegateProvider * @this * * @description * * The `$sceDelegateProvider` provider allows developers to configure the ng.$sceDelegate * $sceDelegate service, used as a delegate for ng.$sce Strict Contextual Escaping (SCE). * * The `$sceDelegatePr
()
| 20085 | */ |
| 20086 | |
| 20087 | function $SceDelegateProvider() { |
| 20088 | this.SCE_CONTEXTS = SCE_CONTEXTS; |
| 20089 | |
| 20090 | // Resource URLs can also be trusted by policy. |
| 20091 | var resourceUrlWhitelist = ['self'], |
| 20092 | resourceUrlBlacklist = []; |
| 20093 | |
| 20094 | /** |
| 20095 | * @ngdoc method |
| 20096 | * @name $sceDelegateProvider#resourceUrlWhitelist |
| 20097 | * @kind function |
| 20098 | * |
| 20099 | * @param {Array=} whitelist When provided, replaces the resourceUrlWhitelist with the value |
| 20100 | * provided. This must be an array or null. A snapshot of this array is used so further |
| 20101 | * changes to the array are ignored. |
| 20102 | * Follow {@link ng.$sce#resourceUrlPatternItem this link} for a description of the items |
| 20103 | * allowed in this array. |
| 20104 | * |
| 20105 | * @return {Array} The currently set whitelist array. |
| 20106 | * |
| 20107 | * @description |
| 20108 | * Sets/Gets the whitelist of trusted resource URLs. |
| 20109 | * |
| 20110 | * The **default value** when no whitelist has been explicitly set is `['self']` allowing only |
| 20111 | * same origin resource requests. |
| 20112 | * |
| 20113 | * <div class="alert alert-warning"> |
| 20114 | * **Note:** the default whitelist of 'self' is not recommended if your app shares its origin |
| 20115 | * with other apps! It is a good idea to limit it to only your application's directory. |
| 20116 | * </div> |
| 20117 | */ |
| 20118 | this.resourceUrlWhitelist = function(value) { |
| 20119 | if (arguments.length) { |
| 20120 | resourceUrlWhitelist = adjustMatchers(value); |
| 20121 | } |
| 20122 | return resourceUrlWhitelist; |
| 20123 | }; |
| 20124 | |
| 20125 | /** |
| 20126 | * @ngdoc method |
| 20127 | * @name $sceDelegateProvider#resourceUrlBlacklist |
| 20128 | * @kind function |
| 20129 | * |
| 20130 | * @param {Array=} blacklist When provided, replaces the resourceUrlBlacklist with the value |
| 20131 | * provided. This must be an array or null. A snapshot of this array is used so further |
| 20132 | * changes to the array are ignored.</p><p> |
| 20133 | * Follow {@link ng.$sce#resourceUrlPatternItem this link} for a description of the items |
| 20134 | * allowed in this array.</p><p> |
| 20135 | * The typical usage for the blacklist is to **block |
| 20136 | * [open redirects](http://cwe.mitre.org/data/definitions/601.html)** served by your domain as |
| 20137 | * these would otherwise be trusted but actually return content from the redirected domain. |
| 20138 | * </p><p> |
| 20139 | * Finally, **the blacklist overrides the whitelist** and has the final say. |
| 20140 | * |
| 20141 | * @return {Array} The currently set blacklist array. |
| 20142 | * |
| 20143 | * @description |
| 20144 | * Sets/Gets the blacklist of trusted resource URLs. |
nothing calls this directly
no test coverage detected