From 51f3d22e4f062e8484d8653765cca0442544f090 Mon Sep 17 00:00:00 2001
From: Martin Probst <martin@probst.io>
Date: Thu, 21 Jul 2016 17:44:59 -0700
Subject: [PATCH] feat(security): trust resource URLs as URLs. (#10220)

Resource URLs are strictly "more" trustworthy than plain URLs, so trusting them maintains the same level of security while avoiding to break people when we downgrade a resource URL context to a plain URL context.
---
 .../src/security/dom_sanitization_service.ts  |  5 ++++-
 .../security/dom_sanitization_service_spec.ts | 22 +++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 modules/@angular/platform-browser/test/security/dom_sanitization_service_spec.ts

diff --git a/modules/@angular/platform-browser/src/security/dom_sanitization_service.ts b/modules/@angular/platform-browser/src/security/dom_sanitization_service.ts
index 8b636f5366..77e6041638 100644
--- a/modules/@angular/platform-browser/src/security/dom_sanitization_service.ts
+++ b/modules/@angular/platform-browser/src/security/dom_sanitization_service.ts
@@ -165,7 +165,10 @@ export class DomSanitizationServiceImpl extends DomSanitizationService {
         this.checkNotSafeValue(value, 'Script');
         throw new Error('unsafe value used in a script context');
       case SecurityContext.URL:
-        if (value instanceof SafeUrlImpl) return value.changingThisBreaksApplicationSecurity;
+        if (value instanceof SafeResourceUrlImpl || value instanceof SafeUrlImpl) {
+          // Allow resource URLs in URL contexts, they are strictly more trusted.
+          return value.changingThisBreaksApplicationSecurity;
+        }
         this.checkNotSafeValue(value, 'URL');
         return sanitizeUrl(String(value));
       case SecurityContext.RESOURCE_URL:
diff --git a/modules/@angular/platform-browser/test/security/dom_sanitization_service_spec.ts b/modules/@angular/platform-browser/test/security/dom_sanitization_service_spec.ts
new file mode 100644
index 0000000000..8ee963cad1
--- /dev/null
+++ b/modules/@angular/platform-browser/test/security/dom_sanitization_service_spec.ts
@@ -0,0 +1,22 @@
+/**
+ * @license
+ * Copyright Google Inc. All Rights Reserved.
+ *
+ * Use of this source code is governed by an MIT-style license that can be
+ * found in the LICENSE file at https://angular.io/license
+ */
+
+import {SecurityContext} from '@angular/core';
+import * as t from '@angular/core/testing/testing_internal';
+
+import {DomSanitizationServiceImpl} from '../../src/security/dom_sanitization_service';
+
+export function main() {
+  t.describe('DOM Sanitization Service', () => {
+    t.it('accepts resource URL values for resource contexts', () => {
+      const svc = new DomSanitizationServiceImpl();
+      const resourceUrl = svc.bypassSecurityTrustResourceUrl('http://hello/world');
+      t.expect(svc.sanitize(SecurityContext.URL, resourceUrl)).toBe('http://hello/world');
+    });
+  });
+}