This repository was archived by the owner on Apr 12, 2024. It is now read-only.
fix($compile) : Add base#href to the list of RESOURCE_URL context attrs #15597
+20
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ributes. This will put the same security constraints to bindings on base#ref as on iframes or script srcs, since it changes the behavior of relative URLs across the page.
gkalpak
approved these changes
Jan 11, 2017
|
@rjamet, what is your take on #15145 (comment)? Is it OK to release #15145 without this change, or should they rather go together (or not at all)? |
|
For anyone wondering this question was answered in #15145 (comment)
|
ellimist
pushed a commit
to ellimist/angular.js
that referenced
this pull request
Mar 15, 2017
…attributes Previously, `base[href]` didn't have an SCE context. This was not ideal, because `base[href]` affects the behavior of all relative URLs across the page. Furthermore, since angular#15145, `base[href]` also affects which URLs are considered trusted under the 'self' policy for white- or black-listed resource URLs. This commit tightens the security of Angular apps, by adding `base[href]` to the list of RESOURCE_URL context attributes, essentially putting the same constraints on bindings to `base[href]` as on iframe or script sources. Refer to the [`$sce` API docs](https://code.angularjs.org/snapshot/docs/api/ng/service/$sce) for more info on SCE trusted contexts. Closes angular#15597 BREAKING CHANGE: Previously, `<base href="{{ $ctrl.baseUrl }}" />` would not require `baseUrl` to be trusted as a RESOURCE_URL. Now, `baseUrl` will be sent to `$sce`'s RESOURCE_URL checks. By default, it will break unless `baseUrl` is of the same origin as the application document. Refer to the [`$sce` API docs](https://code.angularjs.org/snapshot/docs/api/ng/service/$sce) for more info on how to trust a value in a RESOURCE_URL context. Also, concatenation in trusted contexts is not allowed, which means that the following won't work: `<base href="/something/{{ $ctrl.partialPath }}" />`. Either construct complex values in a controller (recommended): ```js this.baseUrl = '/something/' + this.partialPath; ``` ```html <base href="{{ $ctrl.baseUrl }}" /> ``` Or use string concatenation in the interpolation expression (not recommended except for the simplest of cases): ```html <base href="{{ '/something/' + $ctrl.partialPath }}" /> ```
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This will put the same security constraints to bindings on base#ref as on iframes or script srcs, since it changes the behavior of relative URLs across the page. Currently, they don't have a $sce context. Also, it's more generally a good idea in Angular itself, as since #15144 and its fix #15145 we'll consider that baseURI as a trusted origin.
Does this PR introduce a breaking change?
Yup: something like
<base href="{{myUrl}}"/>will send myUrl to the $sce's RESOURCE_URL checks. By default, it will break if myUrl isn't same-origin. Also, concatenation in trusted contexts is disabled: "/{{myPathComponent}}/something" won't work at all.This follows the discussion in #15537 and the initial issue in #15144, fixed in #15145.