From c953af6b8cfeefe4acc0ca358550eed5da8cfe00 Mon Sep 17 00:00:00 2001 From: Joey Perrott Date: Wed, 23 Sep 2020 10:32:44 -0700 Subject: [PATCH] refactor(httpProvider): remove usages of whitelist and blacklist Changes xsrfWhitelistedOrigins to xsrfTrustedOrigins updating references to use this new symbol. For the purposes of backward compatibility, the previous symbol is aliased to the new symbol. --- docs/content/guide/migration.ngdoc | 4 ++-- src/ng/http.js | 24 ++++++++++++------------ test/ng/httpSpec.js | 16 ++++++++-------- 3 files changed, 22 insertions(+), 22 deletions(-) diff --git a/docs/content/guide/migration.ngdoc b/docs/content/guide/migration.ngdoc index 5f66551a9d17..f243eef04a9e 100644 --- a/docs/content/guide/migration.ngdoc +++ b/docs/content/guide/migration.ngdoc @@ -2647,8 +2647,8 @@ $scope.findTemplate = function(templateName) { }; ``` -To migrate, either cache the result of `trustAsResourceUrl()`, or put the template url in the resource -whitelist in the `config()` function: +To migrate, either cache the result of `trustAsResourceUrl()`, or put the template url in the trusted resource +URL list in the `config()` function: After: diff --git a/src/ng/http.js b/src/ng/http.js index dcc30b1bc92c..b35d73a50d93 100644 --- a/src/ng/http.js +++ b/src/ng/http.js @@ -388,7 +388,7 @@ function $HttpProvider() { /** * @ngdoc property - * @name $httpProvider#xsrfWhitelistedOrigins + * @name $httpProvider#xsrfTrustedOrigins * @description * * Array containing URLs whose origins are trusted to receive the XSRF token. See the @@ -402,7 +402,7 @@ function $HttpProvider() { * Examples: `http://example.com`, `https://api.example.com:9876` * *
- * It is not possible to whitelist specific URLs/paths. The `path`, `query` and `fragment` parts + * It is not possible to trust specific URLs/paths. The `path`, `query` and `fragment` parts * of a URL will be ignored. For example, `https://foo.com/path/bar?query=baz#fragment` will be * treated as `https://foo.com`, meaning that **all** requests to URLs starting with * `https://foo.com/` will include the XSRF token. @@ -413,9 +413,9 @@ function $HttpProvider() { * ```js * // App served from `https://example.com/`. * angular. - * module('xsrfWhitelistedOriginsExample', []). + * module('xsrfTrustedOriginsExample', []). * config(['$httpProvider', function($httpProvider) { - * $httpProvider.xsrfWhitelistedOrigins.push('https://api.example.com'); + * $httpProvider.xsrfTrustedOrigins.push('https://api.example.com'); * }]). * run(['$http', function($http) { * // The XSRF token will be sent. @@ -426,7 +426,7 @@ function $HttpProvider() { * }]); * ``` */ - var xsrfWhitelistedOrigins = this.xsrfWhitelistedOrigins = []; + var xsrfTrustedOrigins = this.xsrfWhitelistedOrigins = this.xsrfTrustedOrigins = []; this.$get = ['$browser', '$httpBackend', '$$cookieReader', '$cacheFactory', '$rootScope', '$q', '$injector', '$sce', function($browser, $httpBackend, $$cookieReader, $cacheFactory, $rootScope, $q, $injector, $sce) { @@ -454,7 +454,7 @@ function $HttpProvider() { /** * A function to check request URLs against a list of allowed origins. */ - var urlIsAllowedOrigin = urlIsAllowedOriginFactory(xsrfWhitelistedOrigins); + var urlIsAllowedOrigin = urlIsAllowedOriginFactory(xsrfTrustedOrigins); /** * @ngdoc service @@ -828,16 +828,16 @@ function $HttpProvider() { * The header will — by default — **not** be set for cross-domain requests. This * prevents unauthorized servers (e.g. malicious or compromised 3rd-party APIs) from gaining * access to your users' XSRF tokens and exposing them to Cross Site Request Forgery. If you - * want to, you can whitelist additional origins to also receive the XSRF token, by adding them - * to {@link ng.$httpProvider#xsrfWhitelistedOrigins xsrfWhitelistedOrigins}. This might be + * want to, you can trust additional origins to also receive the XSRF token, by adding them + * to {@link ng.$httpProvider#xsrfTrustedOrigins xsrfTrustedOrigins}. This might be * useful, for example, if your application, served from `example.com`, needs to access your API * at `api.example.com`. - * See {@link ng.$httpProvider#xsrfWhitelistedOrigins $httpProvider.xsrfWhitelistedOrigins} for + * See {@link ng.$httpProvider#xsrfTrustedOrigins $httpProvider.xsrfTrustedOrigins} for * more details. * *
* **Warning**
- * Only whitelist origins that you have control over and make sure you understand the + * Only trusted origins that you have control over and make sure you understand the * implications of doing so. *
* @@ -964,7 +964,7 @@ function $HttpProvider() { angular.module('httpExample', []) .config(['$sceDelegateProvider', function($sceDelegateProvider) { - // We must whitelist the JSONP endpoint that we are using to show that we trust it + // We must add the JSONP endpoint that we are using to the trusted list to show that we trust it $sceDelegateProvider.trustedResourceUrlList([ 'self', 'https://angularjs.org/**' @@ -1222,7 +1222,7 @@ function $HttpProvider() { * * Note that, since JSONP requests are sensitive because the response is given full access to the browser, * the url must be declared, via {@link $sce} as a trusted resource URL. - * You can trust a URL by adding it to the whitelist via + * You can trust a URL by adding it to the trusted resource URL list via * {@link $sceDelegateProvider#trustedResourceUrlList `$sceDelegateProvider.trustedResourceUrlList`} or * by explicitly trusting the URL via {@link $sce#trustAsResourceUrl `$sce.trustAsResourceUrl(url)`}. * diff --git a/test/ng/httpSpec.js b/test/ng/httpSpec.js index d0c994670b49..3df3f6b17cc6 100644 --- a/test/ng/httpSpec.js +++ b/test/ng/httpSpec.js @@ -2213,9 +2213,9 @@ describe('$http', function() { var $httpBackend; beforeEach(module(function($httpProvider) { - $httpProvider.xsrfWhitelistedOrigins.push( - 'https://whitelisted.example.com', - 'https://whitelisted2.example.com:1337/ignored/path'); + $httpProvider.xsrfTrustedOrigins.push( + 'https://trusted.example.com', + 'https://trusted2.example.com:1337/ignored/path'); })); beforeEach(inject(function(_$http_, _$httpBackend_) { @@ -2312,8 +2312,8 @@ describe('$http', function() { } var requestUrls = [ 'https://api.example.com/path', - 'http://whitelisted.example.com', - 'https://whitelisted2.example.com:1338' + 'http://trusted.example.com', + 'https://trusted2.example.com:1338' ]; mockedCookies['XSRF-TOKEN'] = 'secret'; @@ -2326,15 +2326,15 @@ describe('$http', function() { }); - it('should set an XSRF header for cross-domain requests to whitelisted origins', + it('should set an XSRF header for cross-domain requests to trusted origins', inject(function($browser) { function checkHeaders(headers) { return headers['X-XSRF-TOKEN'] === 'secret'; } var currentUrl = 'https://example.com/path'; var requestUrls = [ - 'https://whitelisted.example.com/path', - 'https://whitelisted2.example.com:1337/path' + 'https://trusted.example.com/path', + 'https://trusted2.example.com:1337/path' ]; $browser.url(currentUrl);