refactor(sceDelegateProvider): remove usages of whitelist and blacklist

Changes resourceUrlWhitelist to trustedResourceUrlList and resourceUrlBlacklist to bannedResourceUrlList, updating references to use this new symbol. For the purposes of backward compatibility, the previous symbols are aliased to their new symbol.
angular · Sep 30, 2020 · a206e26 · a206e26
1 parent 9679e58
commit a206e26
Show file tree

Hide file tree

Showing 12 changed files with 144 additions and 122 deletions.
diff --git a/docs/content/error/$sce/imatcher.ngdoc b/docs/content/error/$sce/imatcher.ngdoc
@@ -3,7 +3,7 @@
 @fullName Invalid matcher (only string patterns and RegExp instances are supported)
 @description
 
-Please see {@link $sceDelegateProvider#resourceUrlWhitelist
-$sceDelegateProvider.resourceUrlWhitelist} and {@link
-$sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider.resourceUrlBlacklist} for the
+Please see {@link $sceDelegateProvider#trustedResourceUrlList
+$sceDelegateProvider.trustedResourceUrlList} and {@link
+$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList} for the
 list of acceptable items.
diff --git a/docs/content/error/$sce/insecurl.ngdoc b/docs/content/error/$sce/insecurl.ngdoc
@@ -15,8 +15,8 @@ By default, only URLs that belong to the same origin are trusted. These are urls
 The {@link ng.directive:ngInclude ngInclude} directive and {@link guide/directive directives} that specify a `templateUrl` require a trusted resource URL.
 
 To load templates from other domains and/or protocols, either adjust the {@link
-ng.$sceDelegateProvider#resourceUrlWhitelist whitelist}/ {@link
-ng.$sceDelegateProvider#resourceUrlBlacklist blacklist} or wrap the URL with a call to {@link
+ng.$sceDelegateProvider#trustedResourceUrlList trusted resource URL list}/ {@link
+ng.$sceDelegateProvider#bannedResourceUrlList banned resource URL list} or wrap the URL with a call to {@link
 ng.$sce#trustAsResourceUrl $sce.trustAsResourceUrl}.
 
 **Note**: The browser's [Same Origin

diff --git a/docs/content/error/$sce/iwcard.ngdoc b/docs/content/error/$sce/iwcard.ngdoc
@@ -3,7 +3,7 @@
 @fullName The sequence *** is not a valid pattern wildcard
 @description
 
-The strings in {@link $sceDelegateProvider#resourceUrlWhitelist
-$sceDelegateProvider.resourceUrlWhitelist} and {@link
-$sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider.resourceUrlBlacklist} may not
+The strings in {@link $sceDelegateProvider#trustedResourceUrlList
+$sceDelegateProvider.trustedResourceUrlList} and {@link
+$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList} may not
 contain the undefined sequence `***`.  Only `*` and `**` wildcard patterns are defined.
diff --git a/docs/content/guide/migration.ngdoc b/docs/content/guide/migration.ngdoc
@@ -1387,12 +1387,12 @@ $http.json('other/trusted/url', {jsonpCallbackParam: 'cb'});
 all JSONP requests now require the URL to be trusted as a resource URL. There are two approaches to
 trust a URL:
 
-1. **Whitelisting with the `$sceDelegateProvider.resourceUrlWhitelist()` method.**
+1. **Setting trusted resource URLs with the `$sceDelegateProvider.trustedResourceUrlList()` method.**
    You configure this list in a module configuration block:
 
     ```js
     appModule.config(['$sceDelegateProvider', function($sceDelegateProvider) {
-      $sceDelegateProvider.resourceUrlWhitelist([
+      $sceDelegateProvider.trustedResourceUrlList([
         // Allow same origin resource loads.
         'self',
         // Allow JSONP calls that match this pattern
@@ -2662,11 +2662,11 @@ $scope.findTemplate = function(templateName) {
   return templateCache[templateName];
 };
 
-// Alternatively, use `$sceDelegateProvider.resourceUrlWhitelist()`, which means you don't
+// Alternatively, use `$sceDelegateProvider.trustedResourceUrlList()`, which means you don't
 // have to use `$sce.trustAsResourceUrl()` at all:
 
 angular.module('myApp', []).config(function($sceDelegateProvider) {
-  $sceDelegateProvider.resourceUrlWhitelist(['self', 'https://example.com/templates/**'])
+  $sceDelegateProvider.trustedResourceUrlList(['self', 'https://example.com/templates/**'])
 });
 ```
 

diff --git a/src/Angular.js b/src/Angular.js
@@ -1532,7 +1532,7 @@ function allowAutoBootstrap(document) {
     link.href = src.value;
 
     if (document.location.origin === link.origin) {
-      // Same-origin resources are always allowed, even for non-whitelisted schemes.
+      // Same-origin resources are always allowed, even for banned URL schemes.
       return true;
     }
     // Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web.

diff --git a/src/ng/compile.js b/src/ng/compile.js
@@ -1106,8 +1106,8 @@
  *
  * Based on the context, other options may exist to mark a value as trusted / configure the behavior
  * of {@link ng.$sce}. For example, to restrict the `RESOURCE_URL` context to specific origins, use
- * the {@link $sceDelegateProvider#resourceUrlWhitelist resourceUrlWhitelist()}
- * and {@link $sceDelegateProvider#resourceUrlBlacklist resourceUrlBlacklist()}.
+ * the {@link $sceDelegateProvider#trustedResourceUrlList trustedResourceUrlList()}
+ * and {@link $sceDelegateProvider#bannedResourceUrlList bannedResourceUrlList()}.
  *
  * {@link ng.$sce#what-trusted-context-types-are-supported- Find out more about the different context types}.
  *

diff --git a/src/ng/directive/ngInclude.js b/src/ng/directive/ngInclude.js
@@ -13,9 +13,9 @@
  * By default, the template URL is restricted to the same domain and protocol as the
  * application document. This is done by calling {@link $sce#getTrustedResourceUrl
  * $sce.getTrustedResourceUrl} on it. To load templates from other domains or protocols
- * you may either {@link ng.$sceDelegateProvider#resourceUrlWhitelist whitelist them} or
- * {@link $sce#trustAsResourceUrl wrap them} as trusted values. Refer to AngularJS's {@link
- * ng.$sce Strict Contextual Escaping}.
+ * you may either add them to your {@link ng.$sceDelegateProvider#trustedResourceUrlList trusted
+ * resource URL list} or {@link $sce#trustAsResourceUrl wrap them} as trusted values. Refer to
+ * AngularJS's {@link ng.$sce Strict Contextual Escaping}.
  *
  * In addition, the browser's
  * [Same Origin Policy](https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_XMLHttpRequest)

diff --git a/src/ng/http.js b/src/ng/http.js
@@ -965,7 +965,7 @@ function $HttpProvider() {
   angular.module('httpExample', [])
     .config(['$sceDelegateProvider', function($sceDelegateProvider) {
       // We must whitelist the JSONP endpoint that we are using to show that we trust it
-      $sceDelegateProvider.resourceUrlWhitelist([
+      $sceDelegateProvider.trustedResourceUrlList([
         'self',
         'https://angularjs.org/**'
       ]);
@@ -1223,7 +1223,7 @@ function $HttpProvider() {
      * Note that, since JSONP requests are sensitive because the response is given full access to the browser,
      * the url must be declared, via {@link $sce} as a trusted resource URL.
      * You can trust a URL by adding it to the whitelist via
-     * {@link $sceDelegateProvider#resourceUrlWhitelist  `$sceDelegateProvider.resourceUrlWhitelist`} or
+     * {@link $sceDelegateProvider#trustedResourceUrlList  `$sceDelegateProvider.trustedResourceUrlList`} or
      * by explicitly trusting the URL via {@link $sce#trustAsResourceUrl `$sce.trustAsResourceUrl(url)`}.
      *
      * You should avoid generating the URL for the JSONP request from user provided data.