Reviewers: ihab.awad,
Description:
Loading google.visualization with options such as
{packages:['orgchart']}
will result in a stub "google.visualization.PieChart" which is not a
function, causing markCtor to fail. To avoid failures like this, skip
taming any object which is expected to be a ctor but is not a function.
Supporting changes:
In the test server, request disabling of browser XSS protection.
This sometimes interferes with the generic-host-page since it
evaluates scripts specified in the URL, and could plausibly hide
an actual unsandboxed execution bug in Caja from the tests.
Please review this at https://codereview.appspot.com/57170046/
Affected files (+23, -1 lines):
src/com/google/caja/apitaming/cajaTamingGoogleLoader.js
tests/com/google/caja/util/LocalServer.java
Index: src/com/google/caja/apitaming/cajaTamingGoogleLoader.js
===================================================================
--- src/com/google/caja/apitaming/cajaTamingGoogleLoader.js (revision 5660)
+++ src/com/google/caja/apitaming/cajaTamingGoogleLoader.js (working copy)
@@ -326,6 +326,14 @@
function defCtor(path, obj, policy) {
caja.console.log(path + ' defCtor');
+ // Be lenient: don't fail on getting an object instead of a
function. This
+ // is needed for the modular Visualization API which sometimes has
stub
+ // objects instead of actual ctor functions when the ctor was in a
module
+ // not loaded.
+ if (typeof obj === 'object') {
+ return;
+ }
+
adviseFunction(obj, policy);
tamingUtils.forallkeys(policy, function(name) {
Index: tests/com/google/caja/util/LocalServer.java
===================================================================
--- tests/com/google/caja/util/LocalServer.java (revision 5660)
+++ tests/com/google/caja/util/LocalServer.java (working copy)
@@ -14,6 +14,8 @@
package com.google.caja.util;
+import javax.servlet.http.HttpServletResponse;
+
import org.mortbay.jetty.Server;
import org.mortbay.jetty.handler.ContextHandler;
import org.mortbay.jetty.handler.ResourceHandler;
@@ -22,6 +24,7 @@
import org.mortbay.jetty.handler.HandlerList;
import org.mortbay.jetty.servlet.Context;
import org.mortbay.jetty.servlet.ServletHolder;
+import org.mortbay.resource.Resource;
import com.google.caja.SomethingWidgyHappenedError;
import com.google.caja.service.ProxyServlet;
@@ -68,7 +71,18 @@
cajaStatic.setResourceBase("./ant-war/");
// static file serving for tests
- final ResourceHandler resource_handler = new ResourceHandler();
+ final ResourceHandler resource_handler = new ResourceHandler() {
+ @Override
+ protected void doResponseHeaders(HttpServletResponse response,
+ Resource resource, String mimeType) {
+ super.doResponseHeaders(response, resource, mimeType);
+
+ // If not disabled, IE and Chrome will refuse to execute script
text
+ // which happens to occur in the URL (which applies to our
+ // generic-host-page for one).
+ response.setHeader("X-XSS-Protection", "0");
+ }
+ };
resource_handler.setResourceBase(".");
resource_handler.getMimeTypes().addMimeMapping(
"ujs", "text/javascript;charset=utf-8");
--
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
