Revision: 5661
Author: [email protected]
Date: Fri Feb 7 17:35:08 2014 UTC
Log: Add leniency in taming for better Google Visualization API
support.
https://codereview.appspot.com/57170046
Loading google.visualization with options such as
{packages:['orgchart']}
will result in a stub "google.visualization.PieChart" which is not a
function, causing markCtor to fail. To avoid failures like this, skip
taming any object which is expected to be a ctor but is not a function.
Supporting changes:
In the test server, request disabling of browser XSS protection.
This sometimes interferes with the generic-host-page since it
evaluates scripts specified in the URL, and could plausibly hide
an actual unsandboxed execution bug in Caja from the tests.
[email protected]
http://code.google.com/p/google-caja/source/detail?r=5661
Modified:
/trunk/src/com/google/caja/apitaming/cajaTamingGoogleLoader.js
/trunk/tests/com/google/caja/util/LocalServer.java
=======================================
--- /trunk/src/com/google/caja/apitaming/cajaTamingGoogleLoader.js Mon Feb
3 22:42:04 2014 UTC
+++ /trunk/src/com/google/caja/apitaming/cajaTamingGoogleLoader.js Fri Feb
7 17:35:08 2014 UTC
@@ -325,6 +325,14 @@
function defCtor(path, obj, policy) {
caja.console.log(path + ' defCtor');
+
+ // Be lenient: don't fail on getting an object instead of a
function. This
+ // is needed for the modular Visualization API which sometimes has
stub
+ // objects instead of actual ctor functions when the ctor was in a
module
+ // not loaded.
+ if (typeof obj === 'object') {
+ return;
+ }
adviseFunction(obj, policy);
=======================================
--- /trunk/tests/com/google/caja/util/LocalServer.java Mon Feb 3 22:42:04
2014 UTC
+++ /trunk/tests/com/google/caja/util/LocalServer.java Fri Feb 7 17:35:08
2014 UTC
@@ -14,6 +14,8 @@
package com.google.caja.util;
+import javax.servlet.http.HttpServletResponse;
+
import org.mortbay.jetty.Server;
import org.mortbay.jetty.handler.ContextHandler;
import org.mortbay.jetty.handler.ResourceHandler;
@@ -22,6 +24,7 @@
import org.mortbay.jetty.handler.HandlerList;
import org.mortbay.jetty.servlet.Context;
import org.mortbay.jetty.servlet.ServletHolder;
+import org.mortbay.resource.Resource;
import com.google.caja.SomethingWidgyHappenedError;
import com.google.caja.service.ProxyServlet;
@@ -68,7 +71,18 @@
cajaStatic.setResourceBase("./ant-war/");
// static file serving for tests
- final ResourceHandler resource_handler = new ResourceHandler();
+ final ResourceHandler resource_handler = new ResourceHandler() {
+ @Override
+ protected void doResponseHeaders(HttpServletResponse response,
+ Resource resource, String mimeType) {
+ super.doResponseHeaders(response, resource, mimeType);
+
+ // If not disabled, IE and Chrome will refuse to execute script
text
+ // which happens to occur in the URL (which applies to our
+ // generic-host-page for one).
+ response.setHeader("X-XSS-Protection", "0");
+ }
+ };
resource_handler.setResourceBase(".");
resource_handler.getMimeTypes().addMimeMapping(
"ujs", "text/javascript;charset=utf-8");
--
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
