Skip to content
This repository has been archived by the owner on Apr 12, 2024. It is now read-only.

Commit

Permalink
refactor(httpProvider): remove usages of whitelist and blacklist
Browse files Browse the repository at this point in the history
Changes xsrfWhitelistedOrigins to xsrfTrustedOrigins updating references to use
this new symbol.

For the purposes of backward compatibility, the previous symbol is aliased to
the new symbol.
  • Loading branch information
josephperrott authored and petebacondarwin committed Sep 30, 2020
1 parent a206e26 commit c953af6
Showing 3 changed files with 22 additions and 22 deletions.
4 changes: 2 additions & 2 deletions docs/content/guide/migration.ngdoc
Original file line number Diff line number Diff line change
@@ -2647,8 +2647,8 @@ $scope.findTemplate = function(templateName) {
};
```

To migrate, either cache the result of `trustAsResourceUrl()`, or put the template url in the resource
whitelist in the `config()` function:
To migrate, either cache the result of `trustAsResourceUrl()`, or put the template url in the trusted resource
URL list in the `config()` function:

After:

24 changes: 12 additions & 12 deletions src/ng/http.js
Original file line number Diff line number Diff line change
@@ -388,7 +388,7 @@ function $HttpProvider() {

/**
* @ngdoc property
* @name $httpProvider#xsrfWhitelistedOrigins
* @name $httpProvider#xsrfTrustedOrigins
* @description
*
* Array containing URLs whose origins are trusted to receive the XSRF token. See the
@@ -402,7 +402,7 @@ function $HttpProvider() {
* Examples: `http://example.com`, `https://api.example.com:9876`
*
* <div class="alert alert-warning">
* It is not possible to whitelist specific URLs/paths. The `path`, `query` and `fragment` parts
* It is not possible to trust specific URLs/paths. The `path`, `query` and `fragment` parts
* of a URL will be ignored. For example, `https://foo.com/path/bar?query=baz#fragment` will be
* treated as `https://foo.com`, meaning that **all** requests to URLs starting with
* `https://foo.com/` will include the XSRF token.
@@ -413,9 +413,9 @@ function $HttpProvider() {
* ```js
* // App served from `https://example.com/`.
* angular.
* module('xsrfWhitelistedOriginsExample', []).
* module('xsrfTrustedOriginsExample', []).
* config(['$httpProvider', function($httpProvider) {
* $httpProvider.xsrfWhitelistedOrigins.push('https://api.example.com');
* $httpProvider.xsrfTrustedOrigins.push('https://api.example.com');
* }]).
* run(['$http', function($http) {
* // The XSRF token will be sent.
@@ -426,7 +426,7 @@ function $HttpProvider() {
* }]);
* ```
*/
var xsrfWhitelistedOrigins = this.xsrfWhitelistedOrigins = [];
var xsrfTrustedOrigins = this.xsrfWhitelistedOrigins = this.xsrfTrustedOrigins = [];

this.$get = ['$browser', '$httpBackend', '$$cookieReader', '$cacheFactory', '$rootScope', '$q', '$injector', '$sce',
function($browser, $httpBackend, $$cookieReader, $cacheFactory, $rootScope, $q, $injector, $sce) {
@@ -454,7 +454,7 @@ function $HttpProvider() {
/**
* A function to check request URLs against a list of allowed origins.
*/
var urlIsAllowedOrigin = urlIsAllowedOriginFactory(xsrfWhitelistedOrigins);
var urlIsAllowedOrigin = urlIsAllowedOriginFactory(xsrfTrustedOrigins);

/**
* @ngdoc service
@@ -828,16 +828,16 @@ function $HttpProvider() {
* The header will &mdash; by default &mdash; **not** be set for cross-domain requests. This
* prevents unauthorized servers (e.g. malicious or compromised 3rd-party APIs) from gaining
* access to your users' XSRF tokens and exposing them to Cross Site Request Forgery. If you
* want to, you can whitelist additional origins to also receive the XSRF token, by adding them
* to {@link ng.$httpProvider#xsrfWhitelistedOrigins xsrfWhitelistedOrigins}. This might be
* want to, you can trust additional origins to also receive the XSRF token, by adding them
* to {@link ng.$httpProvider#xsrfTrustedOrigins xsrfTrustedOrigins}. This might be
* useful, for example, if your application, served from `example.com`, needs to access your API
* at `api.example.com`.
* See {@link ng.$httpProvider#xsrfWhitelistedOrigins $httpProvider.xsrfWhitelistedOrigins} for
* See {@link ng.$httpProvider#xsrfTrustedOrigins $httpProvider.xsrfTrustedOrigins} for
* more details.
*
* <div class="alert alert-danger">
* **Warning**<br />
* Only whitelist origins that you have control over and make sure you understand the
* Only trusted origins that you have control over and make sure you understand the
* implications of doing so.
* </div>
*
@@ -964,7 +964,7 @@ function $HttpProvider() {
<file name="script.js">
angular.module('httpExample', [])
.config(['$sceDelegateProvider', function($sceDelegateProvider) {
// We must whitelist the JSONP endpoint that we are using to show that we trust it
// We must add the JSONP endpoint that we are using to the trusted list to show that we trust it
$sceDelegateProvider.trustedResourceUrlList([
'self',
'https://angularjs.org/**'
@@ -1222,7 +1222,7 @@ function $HttpProvider() {
*
* Note that, since JSONP requests are sensitive because the response is given full access to the browser,
* the url must be declared, via {@link $sce} as a trusted resource URL.
* You can trust a URL by adding it to the whitelist via
* You can trust a URL by adding it to the trusted resource URL list via
* {@link $sceDelegateProvider#trustedResourceUrlList `$sceDelegateProvider.trustedResourceUrlList`} or
* by explicitly trusting the URL via {@link $sce#trustAsResourceUrl `$sce.trustAsResourceUrl(url)`}.
*
16 changes: 8 additions & 8 deletions test/ng/httpSpec.js
Original file line number Diff line number Diff line change
@@ -2213,9 +2213,9 @@ describe('$http', function() {
var $httpBackend;

beforeEach(module(function($httpProvider) {
$httpProvider.xsrfWhitelistedOrigins.push(
'https://whitelisted.example.com',
'https://whitelisted2.example.com:1337/ignored/path');
$httpProvider.xsrfTrustedOrigins.push(
'https://trusted.example.com',
'https://trusted2.example.com:1337/ignored/path');
}));

beforeEach(inject(function(_$http_, _$httpBackend_) {
@@ -2312,8 +2312,8 @@ describe('$http', function() {
}
var requestUrls = [
'https://api.example.com/path',
'http://whitelisted.example.com',
'https://whitelisted2.example.com:1338'
'http://trusted.example.com',
'https://trusted2.example.com:1338'
];

mockedCookies['XSRF-TOKEN'] = 'secret';
@@ -2326,15 +2326,15 @@ describe('$http', function() {
});


it('should set an XSRF header for cross-domain requests to whitelisted origins',
it('should set an XSRF header for cross-domain requests to trusted origins',
inject(function($browser) {
function checkHeaders(headers) {
return headers['X-XSRF-TOKEN'] === 'secret';
}
var currentUrl = 'https://example.com/path';
var requestUrls = [
'https://whitelisted.example.com/path',
'https://whitelisted2.example.com:1337/path'
'https://trusted.example.com/path',
'https://trusted2.example.com:1337/path'
];

$browser.url(currentUrl);

0 comments on commit c953af6

Please sign in to comment.