Remove the $sce context for the src attribute on video, audio, and source

src/ng/compile.js

@@ -2808,11 +2808,16 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
         return $sce.HTML;
       }
       var tag = nodeName_(node);
+      // All tags with src attributes require a RESOURCE_URL value, except for
+      // img and various html5 media tags. Note that track src allows files
+      // containing CSS, so leave that to RESOURCE_URL level.
+      if (attrNormalizedName == "src" || attrNormalizedName == "ngSrc") {
+        if (["img", "video", "audio", "source"].indexOf(tag) == -1) {
+          return $sce.RESOURCE_URL;
+        }
       // maction[xlink:href] can source SVG.  It's not limited to <maction>.
-      if (attrNormalizedName == "xlinkHref" ||
-          (tag == "form" && attrNormalizedName == "action") ||
-          (tag != "img" && (attrNormalizedName == "src" ||
-                            attrNormalizedName == "ngSrc"))) {
+      } else if (attrNormalizedName == "xlinkHref" ||
+          (tag == "form" && attrNormalizedName == "action")) {
         return $sce.RESOURCE_URL;
       }
     }

src/ng/sce.js

@@ -533,7 +533,7 @@ function $SceDelegateProvider() {
  * | `$sce.HTML`         | For HTML that's safe to source into the application.  The {@link ng.directive:ngBindHtml ngBindHtml} directive uses this context for bindings. If an unsafe value is encountered and the {@link ngSanitize $sanitize} module is present this will sanitize the value instead of throwing an error. |
  * | `$sce.CSS`          | For CSS that's safe to source into the application.  Currently unused.  Feel free to use it in your own directives. |
  * | `$sce.URL`          | For URLs that are safe to follow as links.  Currently unused (`<a href=` and `<img src=` sanitize their urls and don't constitute an SCE context. |
- * | `$sce.RESOURCE_URL` | For URLs that are not only safe to follow as links, but whose contents are also safe to include in your application.  Examples include `ng-include`, `src` / `ngSrc` bindings for tags other than `IMG` (e.g. `IFRAME`, `OBJECT`, etc.)  <br><br>Note that `$sce.RESOURCE_URL` makes a stronger statement about the URL than `$sce.URL` does and therefore contexts requiring values trusted for `$sce.RESOURCE_URL` can be used anywhere that values trusted for `$sce.URL` are required. |
+ * | `$sce.RESOURCE_URL` | For URLs that are not only safe to follow as links, but whose contents are also safe to include in your application.  Examples include `ng-include`, `src` / `ngSrc` bindings for tags other than `IMG`, `VIDEO`, `AUDIO` and `SOURCE` (e.g. `IFRAME`, `OBJECT`, etc.)  <br><br>Note that `$sce.RESOURCE_URL` makes a stronger statement about the URL than `$sce.URL` does and therefore contexts requiring values trusted for `$sce.RESOURCE_URL` can be used anywhere that values trusted for `$sce.URL` are required. |
  * | `$sce.JS`           | For JavaScript that is safe to execute in your application's context.  Currently unused.  Feel free to use it in your own directives. |
  *
  * ## Format of items in {@link ng.$sceDelegateProvider#resourceUrlWhitelist resourceUrlWhitelist}/{@link ng.$sceDelegateProvider#resourceUrlBlacklist Blacklist} <a name="resourceUrlPatternItem"></a>

test/ng/compileSpec.js

@@ -8766,8 +8766,7 @@ describe('$compile', function() {
     });
   });
 
-
-  describe('img[src] sanitization', function() {
+  describe('*[src] context requirement', function() {
 
     it('should NOT require trusted values for img src', inject(function($rootScope, $compile, $sce) {
       element = $compile('<img src="{{testUrl}}"></img>')($rootScope);
@@ -8780,6 +8779,30 @@ describe('$compile', function() {
       expect(element.attr('src')).toEqual('http://example.com/image2.png');
     }));
 
+    // Older IEs seem to reject the video tag with "Error: Not implemented"
+    if (!msie || msie > 9) {
+      it('should NOT require trusted values for video src',
+          inject(function($rootScope, $compile, $sce) {
+        element = $compile('<video src="{{testUrl}}"></video>')($rootScope);
+        $rootScope.testUrl = 'http://example.com/image.mp4';
+        $rootScope.$digest();
+        expect(element.attr('src')).toEqual('http://example.com/image.mp4');
+
+        // But it should accept trusted values anyway.
+        $rootScope.testUrl = $sce.trustAsUrl('http://example.com/image2.mp4');
+        $rootScope.$digest();
+        expect(element.attr('src')).toEqual('http://example.com/image2.mp4');
+
+        // and trustedResourceUrls for retrocompatibility
+        $rootScope.testUrl = $sce.trustAsResourceUrl('http://example.com/image3.mp4');
+        $rootScope.$digest();
+        expect(element.attr('src')).toEqual('http://example.com/image3.mp4');
+      }));
+    }
+  });
+
+  describe('img[src] sanitization', function() {
+
     it('should not sanitize attributes other than src', inject(function($compile, $rootScope) {
       /* jshint scripturl:true */
       element = $compile('<img title="{{testUrl}}"></img>')($rootScope);