diff options
Diffstat (limited to 'docs/content/error/sce')
| -rw-r--r-- | docs/content/error/sce/icontext.ngdoc | 6 | ||||
| -rw-r--r-- | docs/content/error/sce/iequirks.ngdoc | 16 | ||||
| -rw-r--r-- | docs/content/error/sce/isecrurl.ngdoc | 30 | ||||
| -rw-r--r-- | docs/content/error/sce/itype.ngdoc | 6 | ||||
| -rw-r--r-- | docs/content/error/sce/unsafe.ngdoc | 15 |
5 files changed, 73 insertions, 0 deletions
diff --git a/docs/content/error/sce/icontext.ngdoc b/docs/content/error/sce/icontext.ngdoc new file mode 100644 index 00000000..af629040 --- /dev/null +++ b/docs/content/error/sce/icontext.ngdoc @@ -0,0 +1,6 @@ +@ngdoc error +@name $sce:icontext +@fullName Invalid / Unknown SCE context +@description +The context enum passed to {@link api/ng.$sce#trustAs $sce.trustAs} was not recognized. Refer the +list of {@link api/ng.$sce#contexts supported Strict Contextual Escaping (SCE) contexts}. diff --git a/docs/content/error/sce/iequirks.ngdoc b/docs/content/error/sce/iequirks.ngdoc new file mode 100644 index 00000000..be873344 --- /dev/null +++ b/docs/content/error/sce/iequirks.ngdoc @@ -0,0 +1,16 @@ +@ngdoc error +@name $sce:iequirks +@fullName IE8 in quirks mode is unsupported. +@description +You are using AngularJS with {@link api/ng.$sce#strictcontextualescaping Strict Contextual Escaping +(SCE)} mode enabled (the default) on IE8 or lower in quirks mode. In this mode, IE8 allows one to +execute arbitrary javascript by the use of the `expression()` syntax and is not supported. Refer +{@link http://blogs.msdn.com/b/ie/archive/2008/10/16/ending-expressions.aspx MSDN Blogs > IEBlog > +Ending Expressions} to learn more about them. + +### Recommended solution +Add the doctype + + <!doctype html> + +to the top of your HTML document. This switches the document from quirks mode to standards mode. diff --git a/docs/content/error/sce/isecrurl.ngdoc b/docs/content/error/sce/isecrurl.ngdoc new file mode 100644 index 00000000..c5a5445d --- /dev/null +++ b/docs/content/error/sce/isecrurl.ngdoc @@ -0,0 +1,30 @@ +@ngdoc error +@name $sce:isecrurl +@fullName Blocked loading an untrusted resource +@description + +AngularJS' {@link api/ng.$sce#strictcontextualescaping Strict Contextual Escaping +(SCE)} mode (enabled by default) has blocked loading a resource from an insecure URL. + +Typically, this would occur if you're attempting to load an Angular template from a different +domain. It's also possible that a custom directive threw this error for a similar reason. + +Angular only loads templates from trusted URLs (by calling {@link api/ng.$sce#getTrustedResourceUrl +$sce.getTrustedResourceUrl} on the template URL.). + +By default, only URLs to the same domain with the same protocol as the application document are +considered to be trusted. + +The {@link api/ng.directive:ngInclude ng-include} directive and {@link guide/directive directives} +that specify a `templateUrl` require a trusted resource URL. + +To load templates from other domains and/or protocols, either adjust the {@link +api/ng.$sceDelegateProvider#resourceUrlWhitelist whitelist}/ {@link +api/ng.$sceDelegateProvider#resourceUrlBlacklist blacklist} or wrap the URL with a call to {@link +api/ng.$sce#trustAsResourceUrl $sce.trustAsResourceUrl}. + +**Note**: The browser's {@link +https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_XMLHttpRequest Same Origin +Policy} and {@link http://www.w3.org/TR/cors/ Cross-Origin Resource Sharing (CORS)} policy apply +that may further restrict whether the template is successfully loaded. (e.g. neither cross-domain +requests won't work on all browsers nor `file://` requests on some browsers) diff --git a/docs/content/error/sce/itype.ngdoc b/docs/content/error/sce/itype.ngdoc new file mode 100644 index 00000000..90555156 --- /dev/null +++ b/docs/content/error/sce/itype.ngdoc @@ -0,0 +1,6 @@ +@ngdoc error +@name $sce:itype +@fullName String value required for SCE trust call. +@description +{@link api/ng.$sce#trustAs $sce.trustAs} requires a string value. Read more about {@link +api/ng.$sce#strictcontextualescaping Strict Contextual Escaping (SCE)} in AngularJS. diff --git a/docs/content/error/sce/unsafe.ngdoc b/docs/content/error/sce/unsafe.ngdoc new file mode 100644 index 00000000..908033d2 --- /dev/null +++ b/docs/content/error/sce/unsafe.ngdoc @@ -0,0 +1,15 @@ +@ngdoc error +@name $sce:unsafe +@fullName Require a safe/trusted value +@description + +The value provided for use in a specific context was not found to be safe/trusted for use. + +Angular's {@link api/ng.$sce#strictcontextualescaping Strict Contextual Escaping (SCE)} mode +(enabled by default), requires bindings in certain +contexts to result in a value that is trusted as safe for use in such a context. (e.g. loading an +Angular template from a URL requires that the URL is one considered safe for loading resources.) + +This helps prevent XSS and other security issues. Read more at {@link +api/ng.$sce#strictcontextualescaping Strict Contextual Escaping (SCE)} + |