refactor(httpProvider): remove usages of whitelist and blacklist

josephperrott · petebacondarwin · commit c953af6b8cfe · 2020-09-30T18:46:45.000+01:00
Changes xsrfWhitelistedOrigins to xsrfTrustedOrigins updating references to use
this new symbol.

For the purposes of backward compatibility, the previous symbol is aliased to
the new symbol.
diff --git a/docs/content/guide/migration.ngdoc b/docs/content/guide/migration.ngdoc
@@ -2647,8 +2647,8 @@ $scope.findTemplate = function(templateName) {
 };
 ```
 
-To migrate, either cache the result of `trustAsResourceUrl()`, or put the template url in the resource
-whitelist in the `config()` function:
+To migrate, either cache the result of `trustAsResourceUrl()`, or put the template url in the trusted resource
+URL list in the `config()` function:
 
 After:
 
diff --git a/src/ng/http.js b/src/ng/http.js
@@ -388,7 +388,7 @@ function $HttpProvider() {
 
   /**
    * @ngdoc property
-   * @name $httpProvider#xsrfWhitelistedOrigins
+   * @name $httpProvider#xsrfTrustedOrigins
    * @description
    *
    * Array containing URLs whose origins are trusted to receive the XSRF token. See the
@@ -402,7 +402,7 @@ function $HttpProvider() {
    * Examples: `http://example.com`, `https://api.example.com:9876`
    *
    * <div class="alert alert-warning">
-   *   It is not possible to whitelist specific URLs/paths. The `path`, `query` and `fragment` parts
+   *   It is not possible to trust specific URLs/paths. The `path`, `query` and `fragment` parts
    *   of a URL will be ignored. For example, `https://foo.com/path/bar?query=baz#fragment` will be
    *   treated as `https://foo.com`, meaning that **all** requests to URLs starting with
    *   `https://foo.com/` will include the XSRF token.
@@ -413,9 +413,9 @@ function $HttpProvider() {
    * ```js
    * // App served from `https://example.com/`.
    * angular.
-   *   module('xsrfWhitelistedOriginsExample', []).
+   *   module('xsrfTrustedOriginsExample', []).
    *   config(['$httpProvider', function($httpProvider) {
-   *     $httpProvider.xsrfWhitelistedOrigins.push('https://api.example.com');
+   *     $httpProvider.xsrfTrustedOrigins.push('https://api.example.com');
    *   }]).
    *   run(['$http', function($http) {
    *     // The XSRF token will be sent.
@@ -426,7 +426,7 @@ function $HttpProvider() {
    *   }]);
    * ```
    */
-  var xsrfWhitelistedOrigins = this.xsrfWhitelistedOrigins = [];
+  var xsrfTrustedOrigins = this.xsrfWhitelistedOrigins = this.xsrfTrustedOrigins = [];
 
   this.$get = ['$browser', '$httpBackend', '$$cookieReader', '$cacheFactory', '$rootScope', '$q', '$injector', '$sce',
       function($browser, $httpBackend, $$cookieReader, $cacheFactory, $rootScope, $q, $injector, $sce) {
@@ -454,7 +454,7 @@ function $HttpProvider() {
     /**
      * A function to check request URLs against a list of allowed origins.
      */
-    var urlIsAllowedOrigin = urlIsAllowedOriginFactory(xsrfWhitelistedOrigins);
+    var urlIsAllowedOrigin = urlIsAllowedOriginFactory(xsrfTrustedOrigins);
 
     /**
      * @ngdoc service
@@ -828,16 +828,16 @@ function $HttpProvider() {
      * The header will &mdash; by default &mdash; **not** be set for cross-domain requests. This
      * prevents unauthorized servers (e.g. malicious or compromised 3rd-party APIs) from gaining
      * access to your users' XSRF tokens and exposing them to Cross Site Request Forgery. If you
-     * want to, you can whitelist additional origins to also receive the XSRF token, by adding them
-     * to {@link ng.$httpProvider#xsrfWhitelistedOrigins xsrfWhitelistedOrigins}. This might be
+     * want to, you can trust additional origins to also receive the XSRF token, by adding them
+     * to {@link ng.$httpProvider#xsrfTrustedOrigins xsrfTrustedOrigins}. This might be
      * useful, for example, if your application, served from `example.com`, needs to access your API
      * at `api.example.com`.
-     * See {@link ng.$httpProvider#xsrfWhitelistedOrigins $httpProvider.xsrfWhitelistedOrigins} for
+     * See {@link ng.$httpProvider#xsrfTrustedOrigins $httpProvider.xsrfTrustedOrigins} for
      * more details.
      *
      * <div class="alert alert-danger">
      *   **Warning**<br />
-     *   Only whitelist origins that you have control over and make sure you understand the
+     *   Only trusted origins that you have control over and make sure you understand the
      *   implications of doing so.
      * </div>
      *
@@ -964,7 +964,7 @@ function $HttpProvider() {
 <file name="script.js">
   angular.module('httpExample', [])
     .config(['$sceDelegateProvider', function($sceDelegateProvider) {
-      // We must whitelist the JSONP endpoint that we are using to show that we trust it
+      // We must add the JSONP endpoint that we are using to the trusted list to show that we trust it
       $sceDelegateProvider.trustedResourceUrlList([
         'self',
         'https://angularjs.org/**'
@@ -1222,7 +1222,7 @@ function $HttpProvider() {
      *
      * Note that, since JSONP requests are sensitive because the response is given full access to the browser,
      * the url must be declared, via {@link $sce} as a trusted resource URL.
-     * You can trust a URL by adding it to the whitelist via
+     * You can trust a URL by adding it to the trusted resource URL list via
      * {@link $sceDelegateProvider#trustedResourceUrlList  `$sceDelegateProvider.trustedResourceUrlList`} or
      * by explicitly trusting the URL via {@link $sce#trustAsResourceUrl `$sce.trustAsResourceUrl(url)`}.
      *
diff --git a/test/ng/httpSpec.js b/test/ng/httpSpec.js
@@ -2213,9 +2213,9 @@ describe('$http', function() {
     var $httpBackend;
 
     beforeEach(module(function($httpProvider) {
-      $httpProvider.xsrfWhitelistedOrigins.push(
-          'https://whitelisted.example.com',
-          'https://whitelisted2.example.com:1337/ignored/path');
+      $httpProvider.xsrfTrustedOrigins.push(
+          'https://trusted.example.com',
+          'https://trusted2.example.com:1337/ignored/path');
     }));
 
     beforeEach(inject(function(_$http_, _$httpBackend_) {
@@ -2312,8 +2312,8 @@ describe('$http', function() {
       }
       var requestUrls = [
         'https://api.example.com/path',
-        'http://whitelisted.example.com',
-        'https://whitelisted2.example.com:1338'
+        'http://trusted.example.com',
+        'https://trusted2.example.com:1338'
       ];
 
       mockedCookies['XSRF-TOKEN'] = 'secret';
@@ -2326,15 +2326,15 @@ describe('$http', function() {
     });
 
 
-    it('should set an XSRF header for cross-domain requests to whitelisted origins',
+    it('should set an XSRF header for cross-domain requests to trusted origins',
       inject(function($browser) {
         function checkHeaders(headers) {
           return headers['X-XSRF-TOKEN'] === 'secret';
         }
         var currentUrl = 'https://example.com/path';
         var requestUrls = [
-          'https://whitelisted.example.com/path',
-          'https://whitelisted2.example.com:1337/path'
+          'https://trusted.example.com/path',
+          'https://trusted2.example.com:1337/path'
         ];
 
         $browser.url(currentUrl);
