feat(http): JSONP requests now require trusted resource URLs

chirayuk · petebacondarwin · commit a5305ab18cb5 · 2016-09-15T14:59:46.000+01:00
- JSONP should require trusted resource URLs. This would be a breaking change but maybe not too onerous since same origin URLs are trusted in the default config and you can easily whitelist any 3rd party URLs you trust in one single place (your app/module config.) - fix a bug where $http can't handle $sce wrapper URLs. Closes angular#11352 Closes angular#11328
diff --git a/src/ng/http.js b/src/ng/http.js
@@ -379,8 +379,8 @@ function $HttpProvider() {
    **/
   var interceptorFactories = this.interceptors = [];
 
-  this.$get = ['$browser', '$httpBackend', '$$cookieReader', '$cacheFactory', '$rootScope', '$q', '$injector',
-      function($browser, $httpBackend, $$cookieReader, $cacheFactory, $rootScope, $q, $injector) {
+  this.$get = ['$sce', '$browser', '$httpBackend', '$$cookieReader', '$cacheFactory', '$rootScope', '$q', '$injector',
+      function($sce, $browser, $httpBackend, $$cookieReader, $cacheFactory, $rootScope, $q, $injector) {
 
     var defaultCache = $cacheFactory('$http');
 
@@ -1249,7 +1249,11 @@ function $HttpProvider() {
           cache,
           cachedResp,
           reqHeaders = config.headers,
-          url = buildUrl(config.url, config.paramSerializer(config.params));
+          // origUrl could be a $sce trusted URL which used a wrapper class
+          origUrl = config.url,
+          url = $sce.valueOf(origUrl);
+
+      url = buildUrl(url, config.paramSerializer(config.params));
 
       $http.pendingRequests.push(config);
       promise.then(removePendingReq, removePendingReq);
@@ -1293,7 +1297,7 @@ function $HttpProvider() {
           reqHeaders[(config.xsrfHeaderName || defaults.xsrfHeaderName)] = xsrfValue;
         }
 
-        $httpBackend(config.method, url, reqData, done, reqHeaders, config.timeout,
+        $httpBackend(config.method, (url === $sce.valueOf(origUrl) ? origUrl : url), reqData, done, reqHeaders, config.timeout,
             config.withCredentials, config.responseType,
             createApplyHandlers(config.eventHandlers),
             createApplyHandlers(config.uploadEventHandlers));
diff --git a/src/ng/httpBackend.js b/src/ng/httpBackend.js
@@ -49,14 +49,19 @@ function $xhrFactoryProvider() {
  * $httpBackend} which can be trained with responses.
  */
 function $HttpBackendProvider() {
-  this.$get = ['$browser', '$jsonpCallbacks', '$document', '$xhrFactory', function($browser, $jsonpCallbacks, $document, $xhrFactory) {
-    return createHttpBackend($browser, $xhrFactory, $browser.defer, $jsonpCallbacks, $document[0]);
+  this.$get = ['$sce', '$browser', '$jsonpCallbacks', '$document', '$xhrFactory', function($sce, $browser, $jsonpCallbacks, $document, $xhrFactory) {
+    return createHttpBackend($sce, $browser, $xhrFactory, $browser.defer, $jsonpCallbacks, $document[0]);
   }];
 }
 
-function createHttpBackend($browser, createXhr, $browserDefer, callbacks, rawDocument) {
+function createHttpBackend($sce, $browser, createXhr, $browserDefer, callbacks, rawDocument) {
   // TODO(vojta): fix the signature
   return function(method, url, post, callback, headers, timeout, withCredentials, responseType, eventHandlers, uploadEventHandlers) {
+    if (lowercase(method) == 'jsonp') {
+      // This is a pretty sensitive operation where we're allowing a script to have full access to
+      // our DOM and JS space.  So we require that the URL satisfies SCE.RESOURCE_URL.
+      url = $sce.getTrustedResourceUrl(url);
+    }
     url = url || $browser.url();
 
     if (lowercase(method) === 'jsonp') {
diff --git a/test/ng/httpBackendSpec.js b/test/ng/httpBackendSpec.js
@@ -1,13 +1,18 @@
 /* global createHttpBackend: false, createMockXhr: false, MockXhr: false */
 'use strict';
 
-describe('$httpBackend', function() {
+fdescribe('$httpBackend', function() {
 
-  var $backend, $browser, $jsonpCallbacks,
+  var $sce, $backend, $browser, $jsonpCallbacks,
       xhr, fakeDocument, callback;
 
-  beforeEach(inject(function($injector) {
+  beforeEach(module(function($sceDelegateProvider) {
+    // Setup a special whitelisted url that we can use in testing JSONP requests
+    $sceDelegateProvider.resourceUrlWhitelist(['http://special.whitelisted.resource.com/**']);
+  }));
 
+  beforeEach(inject(function($injector) {
+    $sce = $injector.get('$sce');
     $browser = $injector.get('$browser');
 
     fakeDocument = {
@@ -48,7 +53,7 @@ describe('$httpBackend', function() {
       }
     };
 
-    $backend = createHttpBackend($browser, createMockXhr, $browser.defer, $jsonpCallbacks, fakeDocument);
+    $backend = createHttpBackend($sce, $browser, createMockXhr, $browser.defer, $jsonpCallbacks, fakeDocument);
     callback = jasmine.createSpy('done');
   }));
 
@@ -273,7 +278,7 @@ describe('$httpBackend', function() {
 
   it('should call $xhrFactory with method and url', function() {
     var mockXhrFactory = jasmine.createSpy('mockXhrFactory').and.callFake(createMockXhr);
-    $backend = createHttpBackend($browser, mockXhrFactory, $browser.defer, $jsonpCallbacks, fakeDocument);
+    $backend = createHttpBackend($sce, $browser, mockXhrFactory, $browser.defer, $jsonpCallbacks, fakeDocument);
     $backend('GET', '/some-url', 'some-data', noop);
     expect(mockXhrFactory).toHaveBeenCalledWith('GET', '/some-url');
   });
@@ -334,20 +339,20 @@ describe('$httpBackend', function() {
 
     var SCRIPT_URL = /([^\?]*)\?cb=(.*)/;
 
-
     it('should add script tag for JSONP request', function() {
       callback.and.callFake(function(status, response) {
         expect(status).toBe(200);
         expect(response).toBe('some-data');
       });
 
-      $backend('JSONP', 'http://example.org/path?cb=JSON_CALLBACK', null, callback);
+      $backend('JSONP', 'http://special.whitelisted.resource.com/path?cb=JSON_CALLBACK', null, callback);
+
       expect(fakeDocument.$$scripts.length).toBe(1);
 
       var script = fakeDocument.$$scripts.shift(),
           url = script.src.match(SCRIPT_URL);
 
-      expect(url[1]).toBe('http://example.org/path');
+      expect(url[1]).toBe('http://special.whitelisted.resource.com/path');
       $jsonpCallbacks[url[2]]('some-data');
       browserTrigger(script, 'load');
 
@@ -358,7 +363,8 @@ describe('$httpBackend', function() {
     it('should clean up the callback and remove the script', function() {
       spyOn($jsonpCallbacks, 'removeCallback').and.callThrough();
 
-      $backend('JSONP', 'http://example.org/path?cb=JSON_CALLBACK', null, callback);
+      $backend('JSONP', 'http://special.whitelisted.resource.com/path?cb=JSON_CALLBACK', null, callback);
+
       expect(fakeDocument.$$scripts.length).toBe(1);
 
 
@@ -375,6 +381,7 @@ describe('$httpBackend', function() {
 
     it('should set url to current location if not specified or empty string', function() {
       $backend('JSONP', undefined, null, callback);
+
       expect(fakeDocument.$$scripts[0].src).toBe($browser.url());
       fakeDocument.$$scripts.shift();
 
@@ -390,7 +397,8 @@ describe('$httpBackend', function() {
         expect(status).toBe(-1);
       });
 
-      $backend('JSONP', 'http://example.org/path?cb=JSON_CALLBACK', null, callback, null, 2000);
+      $backend('JSONP', 'http://special.whitelisted.resource.com/path?cb=JSON_CALLBACK', null, callback, null, 2000);
+
       expect(fakeDocument.$$scripts.length).toBe(1);
       expect($browser.deferredFns[0].time).toBe(2000);
 
@@ -405,6 +413,18 @@ describe('$httpBackend', function() {
     });
 
 
+    it('should throw error if the url is not a trusted resource', function() {
+      expect(function() {
+        $backend('JSONP', 'http://example.org/path?cb=JSON_CALLBACK', null, callback);
+      }).toThrowMinErr('$sce', 'insecurl');
+    });
+
+    it('should not throw error if the url is an explicitly trusted resource', function() {
+      expect(function() {
+        $backend('JSONP', $sce.trustAsResourceUrl('http://example.org/path?cb=JSON_CALLBACK'), null, callback);
+      }).not.toThrowMinErr('$sce', 'insecurl');
+    });
+
     // TODO(vojta): test whether it fires "async-start"
     // TODO(vojta): test whether it fires "async-end" on both success and error
   });
@@ -420,7 +440,7 @@ describe('$httpBackend', function() {
     }
 
     beforeEach(function() {
-      $backend = createHttpBackend($browser, createMockXhr);
+      $backend = createHttpBackend($sce, $browser, createMockXhr);
     });
 
 
diff --git a/test/ngRoute/routeSpec.js b/test/ngRoute/routeSpec.js
@@ -1016,9 +1016,10 @@ describe('$route', function() {
       $routeProvider = _$routeProvider_;
 
       $provide.decorator('$sce', function($delegate) {
+        function getVal(v) { return v.getVal ? v.getVal() : v; }
         $delegate.trustAsResourceUrl = function(url) { return new MySafeResourceUrl(url); };
-        $delegate.getTrustedResourceUrl = function(v) { return v.getVal(); };
-        $delegate.valueOf = function(v) { return v.getVal(); };
+        $delegate.getTrustedResourceUrl = function(v) { return getVal(v); };
+        $delegate.valueOf = function(v) { return getVal(v); };
         return $delegate;
       });
     });
