[Caja] [google-caja] r4243 committed - In corkboard, set up URI policy so that links/images are not rewritten...

Fri, 13 Aug 2010 12:15:27 -0700 

Revision: 4243
Author: [email protected]
Date: Fri Aug 13 12:14:40 2010
Log: In corkboard, set up URI policy so that links/images are not rewritten.

http://code.google.com/p/google-caja/source/detail?r=4243

Modified:
 /trunk/src/com/google/caja/demos/corkboard/cajole.py
 /trunk/src/com/google/caja/demos/corkboard/static/embedded-scripts.js

=======================================
--- /trunk/src/com/google/caja/demos/corkboard/cajole.py Fri Aug 6 18:04:10 2010 +++ /trunk/src/com/google/caja/demos/corkboard/cajole.py Fri Aug 13 12:14:40 2010 
@@ -25,8 +25,11 @@
 timeToCacheTimeouts = 10

 # constants
-cajoleRequestURL = cajaServer + "cajole?input-mime-type=text/html" \
-                                    + "&output-mime-type=application/json"
+cajoleRequestURL = (cajaServer + "cajole?input-mime-type=text/html"
+                               + "&output-mime-type=application/json"
+                               + "&effect=SAME_DOCUMENT"
+                               + "&loader=SANDBOXED"
+                               + "&sext=false")
 dummyModule = "___.loadModule({'instantiate': function () {}})"
 requestBodyEncoding = "utf-8"

=======================================
--- /trunk/src/com/google/caja/demos/corkboard/static/embedded-scripts.js Mon Jul 19 16:18:21 2010 +++ /trunk/src/com/google/caja/demos/corkboard/static/embedded-scripts.js Fri Aug 13 12:14:40 2010 
@@ -20,16 +20,33 @@
 var registerForScript, loadScripts;
 (function () {
   var scriptHooks = [];
-
+
+  var uriPolicy = {
+    // TODO(kpreid): have a sensible default instead of this app needing it
+ // In particular, in cajole.py we specify "sext=false" (which is itself a 
+    // temporary kludge); there should be a single switch, or at least two
+ // similarly-exzpressed ones, which do that and also change the client-side 
+    // policy.
+    rewrite: function (uri, mimeType) {
+      if ((/^https?:/i).test(uri)) {
+        // TODO: unsafe, need to check mimeType but that's not sufficient
+        return uri;
+      } else {
+        return "data:,URI%20rejected";
+      }
+    }
+  };
+
   registerForScript = function (vdocId, moduleText) {
     scriptHooks.push([vdocId, moduleText]);
   }
-
+
   function go(caja) {
     for (var i = 0; i < scriptHooks.length; i++) {
       var id         = scriptHooks[i][0];
       var moduleText = scriptHooks[i][1];
       var sandbox = new caja.hostTools.Sandbox();
+      sandbox.setURIPolicy(uriPolicy);
       sandbox.attach(document.getElementById(id));
       sandbox.runCajoledModuleString(moduleText);
     }

Reply via email to