diff --git a/src/ng/compile.js b/src/ng/compile.js index 1b1d5d642142..878b8260c762 100644 --- a/src/ng/compile.js +++ b/src/ng/compile.js @@ -3256,6 +3256,9 @@ function $CompileProvider($provide, $$sanitizeUriProvider) { // maction[xlink:href] can source SVG. It's not limited to . } else if (attrNormalizedName === 'xlinkHref' || (tag === 'form' && attrNormalizedName === 'action') || + // If relative URLs can go where they are not expected to, then + // all sorts of trust issues can arise. + (tag === 'base' && attrNormalizedName === 'href') || // links can be stylesheets or imports, which can run script in the current origin (tag === 'link' && attrNormalizedName === 'href') ) { diff --git a/src/ng/sce.js b/src/ng/sce.js index e536bdc4d86b..d951d3a4a833 100644 --- a/src/ng/sce.js +++ b/src/ng/sce.js @@ -544,7 +544,7 @@ function $SceDelegateProvider() { * | `$sce.HTML` | For HTML that's safe to source into the application. The {@link ng.directive:ngBindHtml ngBindHtml} directive uses this context for bindings. If an unsafe value is encountered and the {@link ngSanitize $sanitize} module is present this will sanitize the value instead of throwing an error. | * | `$sce.CSS` | For CSS that's safe to source into the application. Currently unused. Feel free to use it in your own directives. | * | `$sce.URL` | For URLs that are safe to follow as links. Currently unused (`
Note that `$sce.RESOURCE_URL` makes a stronger statement about the URL than `$sce.URL` does and therefore contexts requiring values trusted for `$sce.RESOURCE_URL` can be used anywhere that values trusted for `$sce.URL` are required. | + * | `$sce.RESOURCE_URL` | For URLs that are not only safe to follow as links, but whose contents are also safe to include in your application. Examples include `ng-include`, `src` / `ngSrc` bindings for tags other than `IMG`, `VIDEO`, `AUDIO`, `SOURCE`, and `TRACK` (e.g. `IFRAME`, `OBJECT`, etc.), plus some miscellaneous sensitive attributes (BASE HREF, LINK HREF, etc.)

Note that `$sce.RESOURCE_URL` makes a stronger statement about the URL than `$sce.URL` does and therefore contexts requiring values trusted for `$sce.RESOURCE_URL` can be used anywhere that values trusted for `$sce.URL` are required. | * | `$sce.JS` | For JavaScript that is safe to execute in your application's context. Currently unused. Feel free to use it in your own directives. | * * ## Format of items in {@link ng.$sceDelegateProvider#resourceUrlWhitelist resourceUrlWhitelist}/{@link ng.$sceDelegateProvider#resourceUrlBlacklist Blacklist} diff --git a/test/ng/compileSpec.js b/test/ng/compileSpec.js index 926b7fadd5a4..2ab6d6f13eb5 100644 --- a/test/ng/compileSpec.js +++ b/test/ng/compileSpec.js @@ -11169,6 +11169,22 @@ describe('$compile', function() { })); }); + describe('base[href]', function() { + it('should be a RESOURCE_URL context', inject(function($compile, $rootScope, $sce) { + element = $compile('')($rootScope); + + $rootScope.testUrl = $sce.trustAsResourceUrl('https://example.com/'); + $rootScope.$apply(); + expect(element.attr('href')).toContain('https://example.com/'); + + $rootScope.testUrl = 'https://not.example.com/'; + expect(function() { $rootScope.$apply(); }).toThrowMinErr( + '$interpolate', 'interr', 'Can\'t interpolate: {{testUrl}}\nError: [$sce:insecurl] Blocked ' + + 'loading resource from url not allowed by $sceDelegate policy. URL: ' + + 'https://not.example.com/'); + })); + }); + describe('form[action]', function() { it('should pass through action attribute for the same domain', inject(function($compile, $rootScope, $sce) { element = $compile('
')($rootScope);