feat(http): JSONP requests now require trusted resource URLs

Reject JSONP requests that are not trusted by `$sce` as "ResourceUrl".

Closes angular#11352

BREAKING CHANGE

All JSONP requests now require the URL to be whitelisted with the
`$sceDelegateProvider.resourceUrlWhitelist()` method.

You configure this list in a module configuration block:

```
appModule.config(['$sceDelegateProvider', function($sceDelegateProvider) {
  $sceDelegateProvider.resourceUrlWhiteList([
    // Allow same origin resource loads.
    'self',
    // Allow JSONP calls that match this pattern
    'https://some.dataserver.com/**.jsonp?**`
  ]);
}]);
```

Author: chirayuk

src/ng/http.js

@@ -379,8 +379,8 @@ function $HttpProvider() {
    **/
   var interceptorFactories = this.interceptors = [];
 
-  this.$get = ['$browser', '$httpBackend', '$$cookieReader', '$cacheFactory', '$rootScope', '$q', '$injector',
-      function($browser, $httpBackend, $$cookieReader, $cacheFactory, $rootScope, $q, $injector) {
+  this.$get = ['$sce', '$browser', '$httpBackend', '$$cookieReader', '$cacheFactory', '$rootScope', '$q', '$injector',
+      function($sce, $browser, $httpBackend, $$cookieReader, $cacheFactory, $rootScope, $q, $injector) {
 
     var defaultCache = $cacheFactory('$http');
 

src/ng/httpBackend.js

@@ -49,14 +49,19 @@ function $xhrFactoryProvider() {
  * $httpBackend} which can be trained with responses.
  */
 function $HttpBackendProvider() {
-  this.$get = ['$browser', '$jsonpCallbacks', '$document', '$xhrFactory', function($browser, $jsonpCallbacks, $document, $xhrFactory) {
-    return createHttpBackend($browser, $xhrFactory, $browser.defer, $jsonpCallbacks, $document[0]);
+  this.$get = ['$sce', '$browser', '$jsonpCallbacks', '$document', '$xhrFactory', function($sce, $browser, $jsonpCallbacks, $document, $xhrFactory) {
+    return createHttpBackend($sce, $browser, $xhrFactory, $browser.defer, $jsonpCallbacks, $document[0]);
   }];
 }
 
-function createHttpBackend($browser, createXhr, $browserDefer, callbacks, rawDocument) {
+function createHttpBackend($sce, $browser, createXhr, $browserDefer, callbacks, rawDocument) {
   // TODO(vojta): fix the signature
   return function(method, url, post, callback, headers, timeout, withCredentials, responseType, eventHandlers, uploadEventHandlers) {
+    if (lowercase(method) == 'jsonp') {
+      // This is a pretty sensitive operation where we're allowing a script to have full access to
+      // our DOM and JS space.  So we require that the URL satisfies SCE.RESOURCE_URL.
+      url = $sce.getTrustedResourceUrl(url);
+    }
     url = url || $browser.url();
 
     if (lowercase(method) === 'jsonp') {

test/ng/httpBackendSpec.js

@@ -3,11 +3,16 @@
 
 describe('$httpBackend', function() {
 
-  var $backend, $browser, $jsonpCallbacks,
+  var $sce, $backend, $browser, $jsonpCallbacks,
       xhr, fakeDocument, callback;
 
-  beforeEach(inject(function($injector) {
+  beforeEach(module(function($sceDelegateProvider) {
+    // Setup a special whitelisted url that we can use in testing JSONP requests
+    $sceDelegateProvider.resourceUrlWhitelist(['http://special.whitelisted.resource.com/**']);
+  }));
 
+  beforeEach(inject(function($injector) {
+    $sce = $injector.get('$sce');
     $browser = $injector.get('$browser');
 
     fakeDocument = {
@@ -48,7 +53,7 @@ describe('$httpBackend', function() {
       }
     };
 
-    $backend = createHttpBackend($browser, createMockXhr, $browser.defer, $jsonpCallbacks, fakeDocument);
+    $backend = createHttpBackend($sce, $browser, createMockXhr, $browser.defer, $jsonpCallbacks, fakeDocument);
     callback = jasmine.createSpy('done');
   }));
 
@@ -273,7 +278,7 @@ describe('$httpBackend', function() {
 
   it('should call $xhrFactory with method and url', function() {
     var mockXhrFactory = jasmine.createSpy('mockXhrFactory').and.callFake(createMockXhr);
-    $backend = createHttpBackend($browser, mockXhrFactory, $browser.defer, $jsonpCallbacks, fakeDocument);
+    $backend = createHttpBackend($sce, $browser, mockXhrFactory, $browser.defer, $jsonpCallbacks, fakeDocument);
     $backend('GET', '/some-url', 'some-data', noop);
     expect(mockXhrFactory).toHaveBeenCalledWith('GET', '/some-url');
   });
@@ -334,20 +339,20 @@ describe('$httpBackend', function() {
 
     var SCRIPT_URL = /([^\?]*)\?cb=(.*)/;
 
-
     it('should add script tag for JSONP request', function() {
       callback.and.callFake(function(status, response) {
         expect(status).toBe(200);
         expect(response).toBe('some-data');
       });
 
-      $backend('JSONP', 'http://example.org/path?cb=JSON_CALLBACK', null, callback);
+      $backend('JSONP', 'http://special.whitelisted.resource.com/path?cb=JSON_CALLBACK', null, callback);
+
       expect(fakeDocument.$$scripts.length).toBe(1);
 
       var script = fakeDocument.$$scripts.shift(),
           url = script.src.match(SCRIPT_URL);
 
-      expect(url[1]).toBe('http://example.org/path');
+      expect(url[1]).toBe('http://special.whitelisted.resource.com/path');
       $jsonpCallbacks[url[2]]('some-data');
       browserTrigger(script, 'load');
 
@@ -358,7 +363,8 @@ describe('$httpBackend', function() {
     it('should clean up the callback and remove the script', function() {
       spyOn($jsonpCallbacks, 'removeCallback').and.callThrough();
 
-      $backend('JSONP', 'http://example.org/path?cb=JSON_CALLBACK', null, callback);
+      $backend('JSONP', 'http://special.whitelisted.resource.com/path?cb=JSON_CALLBACK', null, callback);
+
       expect(fakeDocument.$$scripts.length).toBe(1);
 
 
@@ -375,6 +381,7 @@ describe('$httpBackend', function() {
 
     it('should set url to current location if not specified or empty string', function() {
       $backend('JSONP', undefined, null, callback);
+
       expect(fakeDocument.$$scripts[0].src).toBe($browser.url());
       fakeDocument.$$scripts.shift();
 
@@ -390,7 +397,8 @@ describe('$httpBackend', function() {
         expect(status).toBe(-1);
       });
 
-      $backend('JSONP', 'http://example.org/path?cb=JSON_CALLBACK', null, callback, null, 2000);
+      $backend('JSONP', 'http://special.whitelisted.resource.com/path?cb=JSON_CALLBACK', null, callback, null, 2000);
+
       expect(fakeDocument.$$scripts.length).toBe(1);
       expect($browser.deferredFns[0].time).toBe(2000);
 
@@ -405,6 +413,18 @@ describe('$httpBackend', function() {
     });
 
 
+    it('should throw error if the url is not a trusted resource', function() {
+      expect(function() {
+        $backend('JSONP', 'http://example.org/path?cb=JSON_CALLBACK', null, callback);
+      }).toThrowMinErr('$sce', 'insecurl');
+    });
+
+    it('should not throw error if the url is an explicitly trusted resource', function() {
+      expect(function() {
+        $backend('JSONP', $sce.trustAsResourceUrl('http://example.org/path?cb=JSON_CALLBACK'), null, callback);
+      }).not.toThrowMinErr('$sce', 'insecurl');
+    });
+
     // TODO(vojta): test whether it fires "async-start"
     // TODO(vojta): test whether it fires "async-end" on both success and error
   });
@@ -420,7 +440,7 @@ describe('$httpBackend', function() {
     }
 
     beforeEach(function() {
-      $backend = createHttpBackend($browser, createMockXhr);
+      $backend = createHttpBackend($sce, $browser, createMockXhr);
     });
 
 

test/ngRoute/routeSpec.js

@@ -1016,9 +1016,10 @@ describe('$route', function() {
       $routeProvider = _$routeProvider_;
 
       $provide.decorator('$sce', function($delegate) {
+        function getVal(v) { return v.getVal ? v.getVal() : v; }
         $delegate.trustAsResourceUrl = function(url) { return new MySafeResourceUrl(url); };
-        $delegate.getTrustedResourceUrl = function(v) { return v.getVal(); };
-        $delegate.valueOf = function(v) { return v.getVal(); };
+        $delegate.getTrustedResourceUrl = function(v) { return getVal(v); };
+        $delegate.valueOf = function(v) { return getVal(v); };
         return $delegate;
       });
     });