[Caja] Re: Fix Issue 1893 "uriPolicy.mitigate() does not actually prevent mitigation" (issue 67720043)

Tue, 11 Mar 2014 22:49:59 -0700 

On 2014/03/12 00:11:19, kpreid_google wrote:

https://codereview.appspot.com/67720043/diff/1/src/com/google/caja/plugin/html-emitter.js

File src/com/google/caja/plugin/html-emitter.js (right):



https://codereview.appspot.com/67720043/diff/1/src/com/google/caja/plugin/html-emitter.js#newcode593

src/com/google/caja/plugin/html-emitter.js:593: rewriteFunctionCalls:

false

On 2014/03/12 00:04:53, MarkM wrote:
> While there, I also noticed
> that "parseProgram" is now called "parseFunctionBody", so I changed

that

> too. PTAL in case I shouldn't be disabling that here.



I do not grok mitigation. If you need verification of that, request

review from

someone who does.


Who do you suggest?



https://codereview.appspot.com/67720043/diff/1/src/com/google/caja/ses/startSES.js

File src/com/google/caja/ses/startSES.js (right):



https://codereview.appspot.com/67720043/diff/1/src/com/google/caja/ses/startSES.js#newcode784

src/com/google/caja/ses/startSES.js:784: // coordination with the list

of

mitigation options in
On 2014/03/12 00:04:53, MarkM wrote:
> On 2014/03/11 23:31:21, kpreid_google wrote:
> > Insofar as SES should be able to hypothetically exist as a

separate library

> > which Caja depends on, it would be nice if such coordination were

somehow

> > not necessary.
>
> I agree. Suggestions?



Well, from the perspective of the dependencies,

evaluateUntrustedExternalScript

does what it does because it wants to avoid mitigation on the premise

that it

has content which either is already rewritten or doesn't care. On

those grounds

the rewriter-or-not-carer should be supplying the relevant options.



More practically, we could have SES export an appropriate options

structure for

the no-mitigation goal, which evaluateUntrustedExternalScript then

passes back

in.




https://codereview.appspot.com/67720043/

--


--- 
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.






















					Reply via email to