On Mon, Apr 7, 2014 at 1:36 PM, Dominik Seifert <[email protected]>wrote:
> I am rather amazed by the potential power that Caja has to offer, however, > I cannot find a clear explanation of the execution or communication models. > > From what I understand so far, in the old version you have to run a server > that runs the Cajole Java process to convert unsafe Javascript to safe > Javascript. Caja.js then emulates a local run-time environment, using > iframe, to run the safe code sent back by the server. The newer version has > a cajoler available in Javascript. > This is roughly true, but the “cajoler” was based around the notion of rewriting an entire bundle of HTML and JS (and CSS) into 'safe' formats all at once. The 'newer version' (ES5 mode) is much more of an 'emulated browser' — the rewriting which occurs is just-in-time, so that it can support things like eval(). > Now here are my questions: > > > 1. Is my description somewhat accurate? Could it be that the pure > Javascript implementation can only do SES for now? > > What do you mean by “only do SES”? There is a restriction imposed by SES, namely that guest code cannot modify the global objects (e.g. Array.prototype). But this is generally considered bad practice for modularity, anyway. > > 1. Is it recommended to simply use the given Caja service (at > https://caja.appspot.com/) for all my cajoling needs? Or can I somehow > setup my own service, and if so, how? > > All you need for basic usage is to place the JS files (caja.js and ses-single-frame.js) on your own server. > > 1. This documentation > page<https://code.google.com/p/google-caja/wiki/CajaCajole> only > explains how to run things locally. I cannot even find the server in the > code. Also, that very page is deprecated and it sends us to the official > Caja documentation <https://developers.google.com/caja/> site, which > does not mention anything about how to run the cajoler at all. > > That's because the cajoler itself, and almost all server-side components, are themselves deprecated. Just use the JS. > > 1. From what I can gather in the code base, the SES compiler is > available in Javascript, but I cannot find documentation on how to use it. > Am I blind? Can you maybe link me to the relevant page or some SES API > documentation? > > SES is not a “compiler”, it is an entirely run-time system which is loaded into an iframe to secure it. If you are using Caja, you don't have to consider SES at all — caja.js automatically sets things up — unless you want to write code which specifically takes advantage of SES's fine-grained security provisions. > > 1. A more philosophical question: Are you guys planning on porting to > Node.js yet? The best relevant match on this group is this > thread<https://groups.google.com/forum/#!searchin/google-caja-discuss/node.js/google-caja-discuss/KktHM_kiHCk/5LsvGYgF04oJ>from > 2012. However, that's probably not too interesting for Google's > internal use, for now? > > Node.js is for server-side operations. Modern Caja has no server components other than a small request proxy. If you're interested in using SES security together with Node.js, there have been some more recent threads discussing attempts to get that working, I believe. -- --- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
