I have been running into a few issues w.r.t initial loading... speed and browser locking due to (client side) script rewriting.
I am wondering why scripts are always fully mitigated (htmlemitter.js:593|1089 & startSES.js:307). What is the point of all of the SES repairing, if full mitigation needs to be done anyways? Some clarification on this would help immensely. I feel as if I am lacking some crucial information here. Also, in the worst-case mitigateSrcGotchas and full program parsing can happen _three times in a row_. Forgive my notation on this manual stack trace --- startSES:compileModule() calls mitigateSrcGotchas. compileModule() also calls securableWrapperSrc() which calls verifyStrictExpression() verifyStrictExpression() calls ses.verifyStrictFunctionBody() TWICE ses.verifyStrictFunctionBody() could (worst-case) evaluate to verifyStrictFunctionBodyByParsing() which again calls mitigateSrcGotchas(). --- For now I will try to use uriPolicy.mitigate to partially resolve this issue (jquery) but browser locking due to parsing is a serious concern for me especially on mobile. Do you think it would be feasible to optionally support mitigateSrcGotchas in a webworker? My brief investigation makes me believe only minimal code changes would be required to make mitigateSrcGotchas a promise. If mitigateSrcGotchas is a promise then caja.js can load a webworker (if supported) in place of utility-frame.js and boom, no more browser locking. -- James Keane Wishabi.com | 647-460-3634 -- IMPORTANT NOTICE: This message, including any attachments (hereinafter collectively referred to as "Communication"), is intended only for the addressee(s) named above. This Communication may include information that is privileged, confidential and exempt from disclosure under applicable law. If the recipient of this Communication is not the intended recipient, or the employee or agent responsible for delivering this Communication to the intended recipient, you are notified that any dissemination, distribution or copying of this Communication is strictly prohibited. If you have received this Communication in error, please notify the sender immediately by phone or email and permanently delete this Communication from your computer without making a copy. Thank you. -- --- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
