no-angularjs-sce-resource-url-wildcard

Disallow wildcard AngularJS SCE resource URL whitelist entries.

Targeted pattern scope

AngularJS SCE whitelist configurations using wildcard entries.

What this rule reports

resourceUrlWhitelist([...]) entries that contain wildcard values.

Why this rule exists

Wildcard resource URL allowlists can over-trust unreviewed remote origins.

❌ Incorrect

$sceDelegateProvider.resourceUrlWhitelist(["self", "*"]);

✅ Correct

$sceDelegateProvider.resourceUrlWhitelist([
 "self",
 "https://cdn.example.com/app",
]);

ESLint flat config example

import sdl from "eslint-plugin-sdl-2";

export default [
 {
  plugins: { sdl },

  rules: {
   "sdl/no-angularjs-sce-resource-url-wildcard": "error",
  },
 },
];

When not to use it

Disable only if wildcard resource URLs are part of a reviewed legacy exception with strong compensating controls.

Package documentation

Rule source

Targeted pattern scope​

What this rule reports​

Why this rule exists​

❌ Incorrect​

✅ Correct​

ESLint flat config example​

When not to use it​

Package documentation​

Further reading​