Angular insecure url


I'm using this directive to use jCrop with Angular:

When I load in a value for src, I get this error:

Can't interpolate: {{profileImg}} Error: [$sce:insecurl]

Then it links me to a page that says this:

Blocked loading resource from url not allowed by $sceDelegate policy.

My html is this:

<img-cropped src={{profileImg}} selected='selected(cords)'/>

And this error happens when I change $scope.profileImg to the url of my image.

I'm linking to S3, where I get the value from profileImg. I trust this source, so how can I tell angular that this source is trusted enough to get this directive working?

If I hardcode the src to be my image, I don't get this problem.


I'm trying to trust the url with $sce.

My controller:

cmsApp.controller('PresentationCtrl',function($scope, $upload, all, $sce){

var socket = io.connect('');

$scope.uploadProfilePic = function(){
    var url = '';

    $scope.upload = $upload.upload({
        console.log('percent: ' + parseInt(100.0 * evt.loaded /;
        $scope.profileImg = data;

And even with the trustAsUrl, it throws the same error.

It might be that I'm trying to connect from it from my local nginx server?


I moved it to S3 hosting, and it worked. The image I'm trying to link to is also on S3. I moved it to an Apache web server on an EC2 instance, and it didn't work.

I'm using all the answers, ng-src instead of src, $sce.trustAsUrl(url), and the $compileProvider

Problem courtesy of: Houseman


sometimes its good to read the docs about $sce

This is a alternative to whitelist all blob and data:image/* urls for just the <img> tag but there is other way that you can solve this like generate a url > pass it into one of the sce function and it will be whitelisted. like @NuclearGhost said

app.config(["$compileProvider" function($compileProvider) {


Solution courtesy of: Endless


If you'd like to add the url as a trusted source you can use the trustAsUrl() method from ng.$sce service

Here's the angular documentation for the service.

Discussion courtesy of: Mark Meyer

I ended up just turning it off with $sceProvider.enabled(false).

Discussion courtesy of: Houseman

This recipe can be found in it's original form on Stack Over Flow.