On Wed, May 28, 2014 at 6:11 AM, Will Caine <[email protected]> wrote:
> So, I am using some code such as the following to load a piece of
> standalone javascript and passing it an API. I have two questions...
>
> caja.initialize({cajaServer: 'https://caja.appspot.com/', debug: true,
> maxAcceptableSeverity: 'NO_KNOWN_EXPLOIT_SPEC_VIOLATION'});
>
> caja.load(undefined, {rewrite:function(uri){return true;}},
> function(frame) {
>
> frame.code("/code/" + author + "/" + slug + "/compiled.js",
> 'application/javascript')
>
> .api(CaG.api).run();
>
> });
>
>
> My first question is, is there a way for me to dynamically store some
> javascript client side and then load it into the frame.code() method?
>
Yes, just specify the code as the third argument. In this case the URL in
the first parameter is not fetched but only used as the "virtual" base URL
for relative URL resolution.
> My second question is with regards to supplying my API. In the object I
> supply, none of the functions have been tamed. When I attempt to iterate
> through this object and tame them before use, all of them return undefined.
>
It's not clear to me what you're doing and what might be going wrong. Could
you provide a simple example of how you're setting up the 'CaG.api' object?
> why is taming necessary? my code works as is and the clients script is
> unable to touch the DOM or get network access so I see no issue. My api
> object contains functions for manipulating a canvas, and a couple other
> utility functions, nothing big.
>
Taming is necessary because *from* even the most innocuous function you can
get other things. If you handed a function from your code directly to the
guest code, it could do anything. For example:
var Function_from_host_frame = someApiMethod.constructor;
var unsandboxed_constructed_function = Function('some malicious code');
unsandboxed_constructed_function(); // you've lost
Within the Caja sandbox, the Function constructor which guest code can get
access to uses a safe eval. The taming membrane ensures that when values
are passed between your API and the guest code across its boundary, the
guest code can never see an object which has *excess authority* in the way
functions do in this example — instead, they only provide the access that
you wrote them to do.
--
---
You received this message because you are subscribed to the Google Groups
"Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
