Overly permissive patterns for whitelisted URLs can introduce security vulnerabilities.
The trustedResourceUrlList
or resourceUrlWhitelist
(deprecated) in $sceDelegateProvider
allows you to whitelist URLs that are considered safe for sourcing templates, or running scripts within your AngularJS application.
The trustedResourceUrlList
or resourceUrlWhitelist
can have URLs as patterns using wildcard sequences like '' and ''.
'' matches zero or more occurrences of any character other than one of the following 6 characters: ':', '/', '.', '?', '&' and ';'.
'' matches zero or more occurrences of any character.
Using wildcard sequences in the URL protocol (scheme), domain, etc can make it match more variations of the URL than intended.
angular.module('myApp', []).config(function($sceDelegateProvider) {
$sceDelegateProvider.trustedResourceUrlList([
'**://home.example.com', // will also allow `javascript://home.example.com`
'https://**.example.com', // will also allow `https://evil.example.com`
'https://home.**.com', // will also allow `https://home.evil.com`
]);
});
angular.module('myApp', []).config(function($sceDelegateProvider) {
$sceDelegateProvider.trustedResourceUrlList(['https://home.example.com']);
});