MCPcopy
hub / github.com/angular-ui/ui-router / $SceDelegateProvider

Function $SceDelegateProvider

test/angular/1.7/angular.js:20087–20371  ·  view source on GitHub ↗

* @ngdoc provider * @name $sceDelegateProvider * @this * * @description * * The `$sceDelegateProvider` provider allows developers to configure the ng.$sceDelegate * $sceDelegate service, used as a delegate for ng.$sce Strict Contextual Escaping (SCE). * * The `$sceDelegatePr

()

Source from the content-addressed store, hash-verified

20085 */
20086
20087function $SceDelegateProvider() {
20088 this.SCE_CONTEXTS = SCE_CONTEXTS;
20089
20090 // Resource URLs can also be trusted by policy.
20091 var resourceUrlWhitelist = ['self'],
20092 resourceUrlBlacklist = [];
20093
20094 /**
20095 * @ngdoc method
20096 * @name $sceDelegateProvider#resourceUrlWhitelist
20097 * @kind function
20098 *
20099 * @param {Array=} whitelist When provided, replaces the resourceUrlWhitelist with the value
20100 * provided. This must be an array or null. A snapshot of this array is used so further
20101 * changes to the array are ignored.
20102 * Follow {@link ng.$sce#resourceUrlPatternItem this link} for a description of the items
20103 * allowed in this array.
20104 *
20105 * @return {Array} The currently set whitelist array.
20106 *
20107 * @description
20108 * Sets/Gets the whitelist of trusted resource URLs.
20109 *
20110 * The **default value** when no whitelist has been explicitly set is `['self']` allowing only
20111 * same origin resource requests.
20112 *
20113 * <div class="alert alert-warning">
20114 * **Note:** the default whitelist of 'self' is not recommended if your app shares its origin
20115 * with other apps! It is a good idea to limit it to only your application's directory.
20116 * </div>
20117 */
20118 this.resourceUrlWhitelist = function(value) {
20119 if (arguments.length) {
20120 resourceUrlWhitelist = adjustMatchers(value);
20121 }
20122 return resourceUrlWhitelist;
20123 };
20124
20125 /**
20126 * @ngdoc method
20127 * @name $sceDelegateProvider#resourceUrlBlacklist
20128 * @kind function
20129 *
20130 * @param {Array=} blacklist When provided, replaces the resourceUrlBlacklist with the value
20131 * provided. This must be an array or null. A snapshot of this array is used so further
20132 * changes to the array are ignored.</p><p>
20133 * Follow {@link ng.$sce#resourceUrlPatternItem this link} for a description of the items
20134 * allowed in this array.</p><p>
20135 * The typical usage for the blacklist is to **block
20136 * [open redirects](http://cwe.mitre.org/data/definitions/601.html)** served by your domain as
20137 * these would otherwise be trusted but actually return content from the redirected domain.
20138 * </p><p>
20139 * Finally, **the blacklist overrides the whitelist** and has the final say.
20140 *
20141 * @return {Array} The currently set blacklist array.
20142 *
20143 * @description
20144 * Sets/Gets the blacklist of trusted resource URLs.

Callers

nothing calls this directly

Calls 2

adjustMatchersFunction · 0.70
generateHolderTypeFunction · 0.70

Tested by

no test coverage detected