Permalink
Comparing changes
Open a pull request
- 3 commits
- 6 files changed
- 0 commit comments
- 1 contributor
Commits on Oct 05, 2016
The mock calls to `valueOf(v)` and `getTrustedResourceUrl(v)` were not dealing with the case where `v` was null.
The $http service will reject JSONP requests that are not trusted by `$sce` as "ResourceUrl". This change makes is easier for developers to see clearly where in their code they are making JSONP calls that may be to untrusted endpoings and forces them to think about how these URLs are generated. Be aware that this commit does not put any constraint on the parameters that will be appended to the URL. Developers should be mindful of what parameters can be attached and how they are generated. Closes #11352 BREAKING CHANGE All JSONP requests now require the URL to be trusted as resource URLs. There are two approaches to trust a URL: **Whitelisting with the `$sceDelegateProvider.resourceUrlWhitelist()` method.** You configure this list in a module configuration block: ``` appModule.config(['$sceDelegateProvider', function($sceDelegateProvider) { $sceDelegateProvider.resourceUrlWhiteList([ // Allow same origin resource loads. 'self', // Allow JSONP calls that match this pattern 'https://some.dataserver.com/**.jsonp?**` ]); }]); ``` **Explicitly trusting the URL via the `$sce.trustAsResourceUrl(url)` method** You can pass a trusted object instead of a string as a URL to the `$http` service: ``` var promise = $http.jsonp($sce.trustAsResourceUrl(url)); ```
… config The query parameter that will be used to transmit the JSONP callback to the server is now specified via the `jsonpCallbackParam` config value, instead of using the `JSON_CALLBACK` placeholder. * Any use of `JSON_CALLBACK` in a JSONP request URL will cause an error. * Any request that provides a parameter with the same name as that given by the `jsonpCallbackParam` config property will cause an error. This is to prevent malicious attack via the response from an app inadvertently allowing untrusted data to be used to generate the callback parameter. Closes #15161 Closes #15143 Closes #11352 Closes #11328 BREAKING CHANGE You can no longer use the `JSON_CALLBACK` placeholder in your JSONP requests. Instead you must provide the name of the query parameter that will pass the callback via the `jsonpCallbackParam` property of the config object, or app-wide via the `$http.defaults.jsonpCallbackParam` property, which is `"callback"` by default. Before this change: ``` $http.json('trusted/url?callback=JSON_CALLBACK'); $http.json('other/trusted/url', {params:cb:'JSON_CALLBACK'}); ``` After this change: ``` $http.json('trusted/url'); $http.json('other/trusted/url', {callbackParam:'cb'}); ```
Unified
Split
Showing
with
219 additions
and 36 deletions.
- +20 −0 docs/content/error/$http/badjsonp.ngdoc
- +5 −1 docs/content/error/$http/badreq.ngdoc
- +1 −1 docs/content/guide/concepts.ngdoc
- +92 −17 src/ng/http.js
- +98 −15 test/ng/httpSpec.js
- +3 −2 test/ngRoute/routeSpec.js
| @@ -0,0 +1,20 @@ | ||
| @ngdoc error | ||
| @name $http:badjsonp | ||
| @fullName Bad JSONP Request Configuration | ||
| @description | ||
|
|
||
| This error occurs when the URL generated from the configuration object contains a parameter with the | ||
| same name as the configured `jsonpCallbackParam` property; or when it contains a parameter whose | ||
| value is `JSON_CALLBACK`. | ||
|
|
||
| `$http` JSONP requests need to attach a callback query parameter to the URL. The name of this | ||
| parameter is specified in the configuration object (or in the defaults) via the `jsonpCallbackParam` | ||
| property. You must not provide your own parameter with this name in the configuratio of the request. | ||
|
|
||
| In previous versions of Angular, you specified where to add the callback parameter value via the | ||
| `JSON_CALLBACK` placeholder. This is no longer allowed. | ||
|
|
||
| To resolve this error, remove any parameters that have the same name as the `jsonpCallbackParam`; | ||
| and/or remove any parameters that have a value of `JSON_CALLBACK`. | ||
|
|
||
| For more information, see the {@link ng.$http#jsonp `$http.jsonp()`} method API documentation. |
| @@ -3,7 +3,11 @@ | ||
| @fullName Bad Request Configuration | ||
| @description | ||
|
|
||
| This error occurs when the request configuration parameter passed to the {@link ng.$http `$http`} service is not an object. `$http` expects a single parameter, the request configuration object, but received a parameter that was not an object. The error message should provide additional context such as the actual value of the parameter that was received. If you passed a string parameter, perhaps you meant to call one of the shorthand methods on `$http` such as `$http.get(…)`, etc. | ||
| This error occurs when the request configuration parameter passed to the {@link ng.$http `$http`} service is not a valid object. | ||
| `$http` expects a single parameter, the request configuration object, but received a parameter that was not an object or did not contain valid properties. | ||
|
|
||
| The error message should provide additional context such as the actual value of the parameter that was received. | ||
| If you passed a string parameter, perhaps you meant to call one of the shorthand methods on `$http` such as `$http.get(…)`, etc. | ||
|
|
||
| To resolve this error, make sure you pass a valid request configuration object to `$http`. | ||
|
|
||
| @@ -326,7 +326,7 @@ The following example shows how this is done with Angular: | ||
| var YAHOO_FINANCE_URL_PATTERN = | ||
| '//query.yahooapis.com/v1/public/yql?q=select * from ' + | ||
| 'yahoo.finance.xchange where pair in ("PAIRS")&format=json&' + | ||
| 'env=store://datatables.org/alltableswithkeys&callback=JSON_CALLBACK'; | ||
| 'env=store://datatables.org/alltableswithkeys'; | ||
| var currencies = ['USD', 'EUR', 'CNY']; | ||
| var usdToForeignRates = {}; | ||
|
|
||
| @@ -286,6 +286,10 @@ function $HttpProvider() { | ||
| * If specified as string, it is interpreted as a function registered with the {@link auto.$injector $injector}. | ||
| * Defaults to {@link ng.$httpParamSerializer $httpParamSerializer}. | ||
| * | ||
| * - **`defaults.jsonpCallbackParam`** - `{string} - the name of the query parameter that passes the name of the | ||
| * callback in a JSONP request. The value of this parameter will be replaced with the expression generated by the | ||
| * {@link $jsonpCallbacks} service. Defaults to `'callback'`. | ||
| * | ||
| **/ | ||
| var defaults = this.defaults = { | ||
| // transform incoming response data | ||
| @@ -309,7 +313,9 @@ function $HttpProvider() { | ||
| xsrfCookieName: 'XSRF-TOKEN', | ||
| xsrfHeaderName: 'X-XSRF-TOKEN', | ||
|
|
||
| paramSerializer: '$httpParamSerializer' | ||
| paramSerializer: '$httpParamSerializer', | ||
|
|
||
| jsonpCallbackParam: 'callback' | ||
| }; | ||
|
|
||
| var useApplyAsync = false; | ||
| @@ -379,8 +385,8 @@ function $HttpProvider() { | ||
| **/ | ||
| var interceptorFactories = this.interceptors = []; | ||
|
|
||
| this.$get = ['$browser', '$httpBackend', '$$cookieReader', '$cacheFactory', '$rootScope', '$q', '$injector', | ||
| function($browser, $httpBackend, $$cookieReader, $cacheFactory, $rootScope, $q, $injector) { | ||
| this.$get = ['$browser', '$httpBackend', '$$cookieReader', '$cacheFactory', '$rootScope', '$q', '$injector', '$sce', | ||
| function($browser, $httpBackend, $$cookieReader, $cacheFactory, $rootScope, $q, $injector, $sce) { | ||
|
|
||
| var defaultCache = $cacheFactory('$http'); | ||
|
|
||
| @@ -802,7 +808,8 @@ function $HttpProvider() { | ||
| * processed. The object has following properties: | ||
| * | ||
| * - **method** – `{string}` – HTTP method (e.g. 'GET', 'POST', etc) | ||
| * - **url** – `{string}` – Absolute or relative URL of the resource that is being requested. | ||
| * - **url** – `{string|TrustedObject}` – Absolute or relative URL of the resource that is being requested; | ||
| * or an object created by a call to `$sce.trustAsResourceUrl(url)`. | ||
| * - **params** – `{Object.<string|Object>}` – Map of strings or objects which will be serialized | ||
| * with the `paramSerializer` and appended as GET parameters. | ||
| * - **data** – `{string|Object}` – Data to be sent as the request message data. | ||
| @@ -868,11 +875,11 @@ function $HttpProvider() { | ||
| <button id="samplegetbtn" ng-click="updateModel('GET', 'http-hello.html')">Sample GET</button> | ||
| <button id="samplejsonpbtn" | ||
| ng-click="updateModel('JSONP', | ||
| 'https://angularjs.org/greet.php?callback=JSON_CALLBACK&name=Super%20Hero')"> | ||
| 'https://angularjs.org/greet.php?name=Super%20Hero')"> | ||
| Sample JSONP | ||
| </button> | ||
| <button id="invalidjsonpbtn" | ||
| ng-click="updateModel('JSONP', 'https://angularjs.org/doesntexist&callback=JSON_CALLBACK')"> | ||
| ng-click="updateModel('JSONP', 'https://angularjs.org/doesntexist')"> | ||
| Invalid JSONP | ||
| </button> | ||
| <pre>http status code: {{status}}</pre> | ||
| @@ -881,6 +888,13 @@ function $HttpProvider() { | ||
| </file> | ||
| <file name="script.js"> | ||
| angular.module('httpExample', []) | ||
| .config(['$sceDelegateProvider', function($sceDelegateProvider) { | ||
| // We must whitelist the JSONP endpoint that we are using to show that we trust it | ||
| $sceDelegateProvider.resourceUrlWhitelist([ | ||
| 'self', | ||
| 'https://angularjs.org/**' | ||
| ]); | ||
| }]) | ||
| .controller('FetchController', ['$scope', '$http', '$templateCache', | ||
| function($scope, $http, $templateCache) { | ||
| $scope.method = 'GET'; | ||
| @@ -948,15 +962,16 @@ function $HttpProvider() { | ||
| throw minErr('$http')('badreq', 'Http request configuration must be an object. Received: {0}', requestConfig); | ||
| } | ||
|
|
||
| if (!isString(requestConfig.url)) { | ||
| throw minErr('$http')('badreq', 'Http request configuration url must be a string. Received: {0}', requestConfig.url); | ||
| if (!isString($sce.valueOf(requestConfig.url))) { | ||
| throw minErr('$http')('badreq', 'Http request configuration url must be a string or a $sce trusted object. Received: {0}', requestConfig.url); | ||
| } | ||
|
|
||
| var config = extend({ | ||
| method: 'get', | ||
| transformRequest: defaults.transformRequest, | ||
| transformResponse: defaults.transformResponse, | ||
| paramSerializer: defaults.paramSerializer | ||
| paramSerializer: defaults.paramSerializer, | ||
| jsonpCallbackParam: defaults.jsonpCallbackParam | ||
| }, requestConfig); | ||
|
|
||
| config.headers = mergeHeaders(requestConfig); | ||
| @@ -1111,7 +1126,8 @@ function $HttpProvider() { | ||
| * @description | ||
| * Shortcut method to perform `GET` request. | ||
| * | ||
| * @param {string} url Relative or absolute URL specifying the destination of the request | ||
| * @param {string|TrustedObject} url Absolute or relative URL of the resource that is being requested; | ||
| * or an object created by a call to `$sce.trustAsResourceUrl(url)`. | ||
| * @param {Object=} config Optional configuration object | ||
| * @returns {HttpPromise} Future object | ||
| */ | ||
| @@ -1123,7 +1139,8 @@ function $HttpProvider() { | ||
| * @description | ||
| * Shortcut method to perform `DELETE` request. | ||
| * | ||
| * @param {string} url Relative or absolute URL specifying the destination of the request | ||
| * @param {string|TrustedObject} url Absolute or relative URL of the resource that is being requested; | ||
| * or an object created by a call to `$sce.trustAsResourceUrl(url)`. | ||
| * @param {Object=} config Optional configuration object | ||
| * @returns {HttpPromise} Future object | ||
| */ | ||
| @@ -1135,7 +1152,8 @@ function $HttpProvider() { | ||
| * @description | ||
| * Shortcut method to perform `HEAD` request. | ||
| * | ||
| * @param {string} url Relative or absolute URL specifying the destination of the request | ||
| * @param {string|TrustedObject} url Absolute or relative URL of the resource that is being requested; | ||
| * or an object created by a call to `$sce.trustAsResourceUrl(url)`. | ||
| * @param {Object=} config Optional configuration object | ||
| * @returns {HttpPromise} Future object | ||
| */ | ||
| @@ -1146,11 +1164,34 @@ function $HttpProvider() { | ||
| * | ||
| * @description | ||
| * Shortcut method to perform `JSONP` request. | ||
| * If you would like to customize where and how the callbacks are stored then try overriding | ||
| * | ||
| * Note that, since JSONP requests are sensitive because the response is given full access to the browser, | ||
| * the url must be declared, via {@link $sce} as a trusted resource URL. | ||
| * You can trust a URL by adding it to the whitelist via | ||
| * {@link $sceDelegateProvider#resourceUrlWhitelist `$sceDelegateProvider.resourceUrlWhitelist`} or | ||
| * by explicitly trusting the URL via {@link $sce#trustAsResourceUrl `$sce.trustAsResourceUrl(url)`}. | ||
| * | ||
| * JSONP requests must specify a callback to be used in the response from the server. This callback | ||
| * is passed as a query parameter in the request. You must specify the name of this parameter by | ||
| * setting the `jsonpCallbackParam` property on the request config object. | ||
| * | ||
| * ``` | ||
| * $http.jsonp('some/trusted/url', {jsonpCallbackParam: 'callback'}) | ||
| * ``` | ||
| * | ||
| * You can also specify a default callback parameter name in `$http.defaults.jsonpCallbackParam`. | ||
| * Initially this is set to `'callback'`. | ||
| * | ||
| * <div class="alert alert-danger"> | ||
| * You can no longer use the `JSON_CALLBACK` string as a placeholder for specifying where the callback | ||
| * parameter value should go. | ||
| * </div> | ||
| * | ||
| * If you would like to customise where and how the callbacks are stored then try overriding | ||
| * or decorating the {@link $jsonpCallbacks} service. | ||
| * | ||
| * @param {string} url Relative or absolute URL specifying the destination of the request. | ||
| * The name of the callback should be the string `JSON_CALLBACK`. | ||
| * @param {string|TrustedObject} url Absolute or relative URL of the resource that is being requested; | ||
| * or an object created by a call to `$sce.trustAsResourceUrl(url)`. | ||
| * @param {Object=} config Optional configuration object | ||
| * @returns {HttpPromise} Future object | ||
| */ | ||
| @@ -1249,12 +1290,28 @@ function $HttpProvider() { | ||
| cache, | ||
| cachedResp, | ||
| reqHeaders = config.headers, | ||
| url = buildUrl(config.url, config.paramSerializer(config.params)); | ||
| isJsonp = lowercase(config.method) === 'jsonp', | ||
| url = config.url; | ||
|
|
||
| if (isJsonp) { | ||
| // JSONP is a pretty sensitive operation where we're allowing a script to have full access to | ||
| // our DOM and JS space. So we require that the URL satisfies SCE.RESOURCE_URL. | ||
| url = $sce.getTrustedResourceUrl(url); | ||
| } else if (!isString(url)) { | ||
| // If it is not a string then the URL must be a $sce trusted object | ||
| url = $sce.valueOf(url); | ||
| } | ||
|
|
||
| url = buildUrl(url, config.paramSerializer(config.params)); | ||
|
|
||
| if (isJsonp) { | ||
| // Check the url and add the JSONP callback placeholder | ||
| url = sanitizeJsonpCallbackParam(url, config.jsonpCallbackParam); | ||
| } | ||
|
|
||
| $http.pendingRequests.push(config); | ||
| promise.then(removePendingReq, removePendingReq); | ||
|
|
||
|
|
||
| if ((config.cache || defaults.cache) && config.cache !== false && | ||
| (config.method === 'GET' || config.method === 'JSONP')) { | ||
| cache = isObject(config.cache) ? config.cache | ||
| @@ -1386,5 +1443,23 @@ function $HttpProvider() { | ||
| } | ||
| return url; | ||
| } | ||
|
|
||
| function sanitizeJsonpCallbackParam(url, key) { | ||
| if (/[&?][^=]+=JSON_CALLBACK/.test(url)) { | ||
| // Throw if the url already contains a reference to JSON_CALLBACK | ||
| throw $httpMinErr('badjsonp', 'Illegal use of JSON_CALLBACK in url, "{0}"', url); | ||
| } | ||
|
|
||
| var callbackParamRegex = new RegExp('[&?]' + key + '='); | ||
| if (callbackParamRegex.test(url)) { | ||
| // Throw if the callback param was already provided | ||
| throw $httpMinErr('badjsonp', 'Illegal use of callback param, "{0}", in url, "{1}"', key, url); | ||
| } | ||
|
|
||
| // Add in the JSON_CALLBACK callback param value | ||
| url += ((url.indexOf('?') === -1) ? '?' : '&') + key + '=JSON_CALLBACK'; | ||
|
|
||
| return url; | ||
| } | ||
| }]; | ||
| } | ||
Oops, something went wrong.