SCE, that is, strictcontextualescaping. My understanding is strict context isolation... translation may not be accurate, but it should be understood literally by angularjs to strictly control context access. This article describes AngularJS's use of $ sce to control code security checks, if you are interested in angularjssce, you can learn it together. Because browsers all have same-source loading policies, you cannot load files in different domains or access files using undesired protocols such as files.
To avoid security vulnerabilities in angularJs, some ng-src or ng-include perform security verification. Therefore, ng-src in an iframe is often unavailable.
What is SCE?
SCE, that is, strict contextual escaping. My understanding is that strict context isolation... translation may be inaccurate, but through literal understanding, angularjs strictly controls context access.
Angular enables SCE by default, which means that some insecure behaviors will be eliminated by default. For example, you have used a third-party script or library, loaded a piece of html, and so on.
This is indeed safe to avoid cross-site XSS, but sometimes we want to load specific files on our own. What should we do at this time?
At this time, you can use the $ sce service to convert some addresses into secure and authorized links... simply put, it is like telling the guard that this stranger is actually a good friend of mine. It is trustworthy and does not have to be intercepted!
Common methods include:
$ Sce. trustAs (type, name );
$ Sce. trustAsHtml (value );
$ Sce. trustAsUrl (value );
$ Sce. trustAsResourceUrl (value );
$ Sce. trustAsJs (value );
The following are all used based on the first api. For example, trsuasurl actually calls trsuas ($ sce. URL, "xxxx ");
The optional value of type is:
$ Sce. HTML
$ Sce. CSS
$ Sce. URL // href in the tag, src in the img tag
$ Sce. RESOURCE_URL // ng-include, src or ngSrc, such as iframe or Object
$ Sce. JS
Example from the official website: ng-bind-html