Revision: 5658
Author: [email protected]
Date: Mon Feb 3 22:42:04 2014 UTC
Log: Enable loading Picker API via gapi.load.
https://codereview.appspot.com/54240044
* Support "gapi.load('picker', ...)" as given in the example at
<https://developers.google.com/picker/docs/#hiworld>. It is unclear
(from public documentation) what the structure of the loadable APIs
actually is, so for now just add a special case which points at the
'google.picker' policy name.
* Refactor loader API name validation to be in one place.
* Increase URL length limit in test server, allowing larger test
content to be used in generic-host-page.
[email protected]
http://code.google.com/p/google-caja/source/detail?r=5658
Modified:
/trunk/src/com/google/caja/apitaming/cajaTamingGoogleLoader.js
/trunk/src/com/google/caja/apitaming/gapi.client.load.loaderFactory.js
/trunk/src/com/google/caja/apitaming/google.load.loaderFactory.js
/trunk/tests/com/google/caja/util/LocalServer.java
=======================================
--- /trunk/src/com/google/caja/apitaming/cajaTamingGoogleLoader.js Wed Aug
7 17:46:21 2013 UTC
+++ /trunk/src/com/google/caja/apitaming/cajaTamingGoogleLoader.js Mon Feb
3 22:42:04 2014 UTC
@@ -484,10 +484,21 @@
var loaders = [];
var policyByName = tamingUtils.StringMap();
- function loadPolicy(name, cb) {
+ function validateNameAndLoadPolicy(name, willLoadCallback,
loadedCallback) {
+ // This is our front line of defense against a malicious guest
+ // trying to break us by supplying a dumb API name like '__proto__'.
+ if (!whitelistedApis.has(name)) {
+ throw new RangeError('API ' + name +
+ ' is not whitelisted for your application');
+ }
+
+ if (willLoadCallback) {
+ willLoadCallback();
+ }
+
if (policyByName.has(name)) {
window.setTimeout(
- function() { cb(policyByName.get(name)); },
+ function() { loadedCallback(policyByName.get(name)); },
0);
} else {
maybeLoadPolicyFactory(name, function() {
@@ -496,7 +507,7 @@
.call({}, frame, tamingUtils);
mergeInto(framePolicies, policy.value);
policyByName.set(name, policy);
- cb(policy);
+ loadedCallback(policy);
});
}
}
@@ -548,11 +559,10 @@
for (var i = 0; i < loaderFactories.length; i++) {
loaders.push(loaderFactories[i]({
EventListenerGroup: EventListenerGroup,
- loadPolicy: loadPolicy,
+ validateNameAndLoadPolicy: validateNameAndLoadPolicy,
tamingUtils: tamingUtils,
reapplyPolicies: reapplyPolicies,
- frame: frame,
- whitelistedApis: whitelistedApis
+ frame: frame
}));
}
=======================================
--- /trunk/src/com/google/caja/apitaming/gapi.client.load.loaderFactory.js
Wed Dec 12 23:37:11 2012 UTC
+++ /trunk/src/com/google/caja/apitaming/gapi.client.load.loaderFactory.js
Mon Feb 3 22:42:04 2014 UTC
@@ -16,6 +16,9 @@
* @fileoverview
* Loader factory for Google APIs loader
*
+ * Note that despite the name, this implements gapi.load as well as
+ * gapi.client.load, for historical reasons.
+ *
* @author [email protected]
* @overrides caja, google, gapi, console
*/
@@ -63,31 +66,49 @@
safeWindow.gapi.client = {};
}
- safeWindow.gapi.load = mf(function(name, callback) {
+ safeWindow.gapi.load = mf(function(name, optionsOrCallback) {
name = '' + name;
- if (name !== 'client') {
- throw new Error('gapi.load() only accepts "client" as first
argument');
+
+ var callback;
+ if (typeof optionsOrCallback === 'function') {
+ callback = optionsOrCallback;
+ } else if (typeof optionsOrCallback === 'object' &&
+ typeof (callback = optionsOrCallback.callback) === 'function') {
+ // read once and assigned in condition
+ } else {
+ throw new Error('gapi.load() requires a callback as second
argument');
}
- if (!callback) {
- throw new Error('gapi.load() requires a callback as second
argument');
+
+ if (name === 'client') {
+ topLevelCallback.setCallback(callback);
+ gapi.load('client', function() {
+ topLevelCallback.signalLoadClient();
+ });
+ } else {
+ // TODO(kpreid): Kludge. Replace this with a more general mechanism
+ // when we have more information about how APIs are named.
+ if ((/\./).test(name)) {
+ // Reject dotted names as otherwise we'd permit names like
+ // "client.urlshortener" which come from gapi.client.load
instead.
+ // All other malformed names will be caught by the whitelist.
+ throw new Error('API name should not contain "." characters.');
+ }
+ var fullName = name === 'picker' ? 'google.picker' : 'gapi.' +
name;
+
+ utils.validateNameAndLoadPolicy(fullName, undefined,
function(policy) {
+ gapi.load(name, function() {
+ utils.reapplyPolicies();
+ callback && callback.call({});
+ });
+ });
}
- topLevelCallback.setCallback(callback);
- gapi.load('client', function() {
- topLevelCallback.signalLoadClient();
- });
});
safeWindow.gapi.client.load = mf(function(name, version, callback) {
var fullName = 'gapi.client.' + name;
version = '' + version;
- // This is our front line of defense against a malicious guest
- // trying to break us by supplying a dumb API name like '__proto__'.
- if (!utils.whitelistedApis.has(fullName)) {
- throw 'API ' + name + ' is not whitelisted for your application';
- }
-
- utils.loadPolicy(fullName, function(policy) {
+ utils.validateNameAndLoadPolicy(fullName, undefined,
function(policy) {
gapi.client.load(name, version, function() {
utils.reapplyPolicies();
callback && callback.call({});
=======================================
--- /trunk/src/com/google/caja/apitaming/google.load.loaderFactory.js Sat
Nov 24 18:50:17 2012 UTC
+++ /trunk/src/com/google/caja/apitaming/google.load.loaderFactory.js Mon
Feb 3 22:42:04 2014 UTC
@@ -31,16 +31,12 @@
safeWindow.google.load =
utils.frame.markFunction(function(name, opt_ver, opt_info) {
-
- // This is our front line of defense against a malicious guest
- // trying to break us by supplying a dumb API name
like '__proto__'.
- if (!utils.whitelistedApis.has('google.' + name)) {
- throw 'API ' + name + ' is not whitelisted for your
application';
- }
-
- loadWasCalled = true;
-
- utils.loadPolicy('google.' + name, function(policy) {
+ utils.validateNameAndLoadPolicy(
+ 'google.' + name,
+ function() {
+ loadWasCalled = true;
+ },
+ function(policy) {
var guestCallback = undefined;
if (opt_info) {
@@ -64,12 +60,12 @@
google.load(name, policy.version, opt_info);
}
});
- });
+ });
safeWindow.google.setOnLoadCallback =
utils.frame.markFunction(function(cb) {
- if (onloads) { onloads.add(cb); }
- });
+ if (onloads) { onloads.add(cb); }
+ });
}
function signalOnload() {
=======================================
--- /trunk/tests/com/google/caja/util/LocalServer.java Thu Dec 19 19:46:16
2013 UTC
+++ /trunk/tests/com/google/caja/util/LocalServer.java Mon Feb 3 22:42:04
2014 UTC
@@ -59,6 +59,11 @@
public void start(int port) throws Exception {
server = new Server(port);
+ // Increase header buffer size to allow long URLs (particularly for
+ // generic-host-page.html which puts the content into the URL).
+ // (The Server(int) constructor adds one connector internally.)
+ server.getConnectors()[0].setHeaderBufferSize(100 * 1024);
+
final ResourceHandler cajaStatic = new ResourceHandler();
cajaStatic.setResourceBase("./ant-war/");
--
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
