I am trying to use Angular with a list of apps, and each one is a link to see an app in more detail (apps/app.id):
<a id=\"{{app.id}}\" href=\"apps/{{app.id}}\" >{{app.name}}</a>
Every time I click on one of these links, Chrome shows the URL as
unsafe:chrome-extension://kpbipnfncdpgejhmdneaagc.../apps/app.id
Where does the unsafe: come from?
You need to explicitly add URL protocols to Angular\'s whitelist using a regular expression. Only http, https, ftp and mailto are enabled by default. Angular will prefix a non-whitelisted URL with unsafe: when using a protocol such as chrome-extension:.
A good place to whitelist the chrome-extension: protocol would be in your module\'s config block:
var app = angular.module( \'myApp\', [] )
.config( [
\'$compileProvider\',
function( $compileProvider )
{
$compileProvider.aHrefSanitizationWhitelist(/^\\s*(https?|ftp|mailto|chrome-extension):/);
// Angular before v1.2 uses $compileProvider.urlSanitizationWhitelist(...)
}
]);
The same procedure also applies when you need to use protocols such as file: and tel:.
Please see the AngularJS $compileProvider API documentation for more info.
In case anyone has this problem with images, as well:
app.config([\'$compileProvider\', function ($compileProvider) {
$compileProvider.imgSrcSanitizationWhitelist(/^\\s*(https?|local|data|chrome-extension):/);
}]);
If you just need for mail, tel and sms use this:
app.config([\'$compileProvider\', function ($compileProvider) {
$compileProvider.aHrefSanitizationWhitelist(/^\\s*(https?|ftp|mailto|file|sms|tel):/);
}]);
Google Chrome require its extensions to cooperate with Content Security Policy (CSP).
You need to modify your extension to fulfill the requirements of CSP.
https://developer.chrome.com/extensions/contentSecurityPolicy.html
https://developer.mozilla.org/en-US/docs/Security/CSP
Also, angularJS has ngCsp directive which you need to use.
http://docs.angularjs.org/api/ng.directive:ngCsp
<a href=\"{{applicant.resume}}\" download> download resume</a>
var app = angular.module(\"myApp\", []);
app.config([\'$compileProvider\', function($compileProvider) {
$compileProvider.aHrefSanitizationWhitelist(/^\\s*(https?|local|data|chrome-extension):/);
$compileProvider.imgSrcSanitizationWhitelist(/^\\s*(https?|local|data|chrome-extension):/);
}]);
For Angular 2+ you can use DomSanitizer\'s bypassSecurityTrustResourceUrl method.
import {DomSanitizer} from \'@angular/platform-browser\';
class ExampleComponent {
sanitizedURL : SafeResourceUrl;
constructor(
private sanitizer: DomSanitizer){
this.sanitizedURL = this.sanitizer.bypassSecurityTrustResourceUrl();
}
}
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 看淡一切 的文章《AngularJS changes URLs to “unsafe:” in extension p》','https://www.manongdao.com/article-5081.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}