On Fri, May 2, 2014 at 2:54 PM, Helen Wu <[email protected]> wrote:
> Oh, that is very cool :).
We think so!
> I have a few more questions to make sure that I
> fully understand.
>
> By proxying external script/style tags, do you mean that it has to pass it
> though to the server to load those scripts/styles safely?
Yes. Right now the rough shape of safe code is
with (special_scope_object) {
// untrusted code
}
If you load an external script, we have to wrap it in a "with block"
so it can be safely loaded.
> If I say that I don't allow external script/style tags to simplify things,
> does that mean I don't need a Caja server at all? How would I incorporate
> that into the code?
You don't need to run a proxy, but you do need to host all the
javascript files. I don't know which ones, exactly; I'll have to
defer to one of the other guys about this.
Once they answer your question, we can close issue 1912!
https://code.google.com/p/google-caja/issues/detail?id=1912
> Could I add the ses-single-frame and utility frame to my server and never
> call a Caja server? Do I need other js files?
> Right now I'm using
>>
>> caja.initialize
>> cajaServer: 'https://caja.appspot.com/'
>> debug: true
>> es5Mode: true
>
>
> However, it seems like if I don't give a caja server, it defaults to appspot
> anyway and looks for the script there through installAsyncScript. How would
> I remove the Caja server dependency?
>
> Thanks so much!! Sorry about asking so many questions :P
No, that's a good thing. We certainly need documentation about this,
and this is the right forum for writing it up.
--
Mike Stay - [email protected]
http://www.cs.auckland.ac.nz/~mike
http://reperiendi.wordpress.com
--
---
You received this message because you are subscribed to the Google Groups
"Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
