Status: Accepted
Owner: kpreid.switchb.org
CC: erights
Labels: Type-Defect Priority-Medium
New issue 1808 by kpreid.switchb.org: NO_KNOWN_EXPLOIT_SPEC_VIOLATION is
nonmonotonic
http://code.google.com/p/google-caja/issues/detail?id=1808
The legacy-compatibility implementation of NKESV in caja.js specifies
'PUSH_IGNORES_FROZEN': { 'doNotRepair': true },
This means that with the default maxAcceptableSeverity,
SAFE_SPEC_VIOLATION, we will repair PUSH_IGNORES_FROZEN, but with the
allegedly more-lenient NKESV, we will consider this a fatal problem. This
is at least unintuitive, if not wrong.
Before r5442 which replaced NKESV with acceptableProblems in SES, we had no
repair because had no way to express not executing the repair if the only
problem was PUSH_IGNORES_SEALED (as we wished to do for performance), so we
left the repair out entirely.
Proposed actions:
1. Remove the above from PUSH_IGNORES_FROZEN, so that we are willing to
repair a fatally flawed push.
2. Change the caja.js API so that the acceptableProblems, or (to avoid
footguns) predefined bundles of them, are directly specified by the caller,
so that they can independently say "don't repair PUSH_IGNORES_SEALED and
proceed" and "don't repair PUSH_IGNORED_FROZEN and stop" (if that behavior
is wanted). We would still need to give a meaning to NKESV for backwards
compatibility.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
