fix($compile): secure link[href] as a RESOURCE_URLs in $sce.

User-controlled imports or stylesheets can run script in your origin,
which warrants that we require that they are safe `RESOURCE_URL`s.

Closes #14687

BREAKING CHANGE

`link[href]` attributes are now protected via `$sce`, which prevents interpolated
values that fail the `RESOURCE_URL` context tests from being used in interpolation.

For example if the application is running at `https://docs.angularjs.org` then the
following will fail:

```
<link href="{{ 'http://mydomain.org/unsafe.css' }}" rel="stylesheet">
```

By default, `RESOURCE_URL` safe URLs are only allowed from the same domain and protocol
as the application document.

To use URLs from other domains and/or protocols, you may either whitelist them or
wrap it into a trusted value by calling `$sce.trustAsResourceUrl(url)`.
This commit is contained in:
Raphael Jamet
2016-05-27 14:13:09 +02:00
committed by Peter Bacon Darwin
parent 3b4bfa1771
commit 04cad41d26
2 changed files with 33 additions and 0 deletions
+2
View File
@@ -2971,6 +2971,8 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
// maction[xlink:href] can source SVG. It's not limited to <maction>.
if (attrNormalizedName === "xlinkHref" ||
(tag === "form" && attrNormalizedName === "action") ||
// links can be stylesheets or imports, which can run script in the current origin
(tag === "link" && attrNormalizedName === "href") ||
(tag !== "img" && (attrNormalizedName === "src" ||
attrNormalizedName === "ngSrc"))) {
return $sce.RESOURCE_URL;
+31
View File
@@ -10171,6 +10171,7 @@ describe('$compile', function() {
"loading resource from url not allowed by $sceDelegate policy. URL: javascript:doTrustedStuff()");
}));
it('should pass through $sce.trustAs() values in action attribute', inject(function($compile, $rootScope, $sce) {
/* jshint scripturl:true */
element = $compile('<form action="{{testUrl}}"></form>')($rootScope);
@@ -10181,6 +10182,36 @@ describe('$compile', function() {
}));
});
describe('link[href]', function() {
it('should reject invalid RESOURCE_URLs', inject(function($compile, $rootScope) {
element = $compile('<link href="{{testUrl}}" rel="stylesheet" />')($rootScope);
$rootScope.testUrl = "https://evil.example.org/css.css";
expect(function() { $rootScope.$apply(); }).toThrowMinErr(
"$interpolate", "interr", "Can't interpolate: {{testUrl}}\nError: [$sce:insecurl] Blocked " +
"loading resource from url not allowed by $sceDelegate policy. URL: " +
"https://evil.example.org/css.css");
}));
it('should accept valid RESOURCE_URLs', inject(function($compile, $rootScope, $sce) {
element = $compile('<link href="{{testUrl}}" rel="stylesheet" />')($rootScope);
$rootScope.testUrl = "./css1.css";
$rootScope.$apply();
expect(element.attr('href')).toContain('css1.css');
$rootScope.testUrl = $sce.trustAsResourceUrl('https://elsewhere.example.org/css2.css');
$rootScope.$apply();
expect(element.attr('href')).toContain('https://elsewhere.example.org/css2.css');
}));
it('should accept valid constants', inject(function($compile, $rootScope) {
element = $compile('<link href="https://elsewhere.example.org/css2.css" rel="stylesheet" />')($rootScope);
$rootScope.$apply();
expect(element.attr('href')).toContain('https://elsewhere.example.org/css2.css');
}));
});
if (!msie || msie >= 11) {
describe('iframe[srcdoc]', function() {
it('should NOT set iframe contents for untrusted values', inject(function($compile, $rootScope, $sce) {