You can define a 'mitigate' function in your uriPolicy that recieves a url for a requested resource, if you have a pre-mitigated version of jQuery you can then return it as a string and it will not be rewritten or pass through the security checks.
But I have found that the biggest performance issue is actually jQuery itself. Since caja now only runs on more modern browsers switching to http://zeptojs.com/ or similar will provide the biggest improvement. On Wed, Sep 24, 2014 at 9:26 PM, Jing Jin <[email protected]> wrote: > Does caja.js perform run time check and code rewrite for jquery.js every > time we call caja.load().run()? It's a big performance hit to scan the > common jquery library every time we load the html fragment. > > On Tuesday, July 8, 2014 2:20:59 PM UTC-4, Kevin Reid wrote: >> >> On Mon, Jun 30, 2014 at 7:47 AM, crystal <[email protected]> wrote: >>> >>> Hi, >>> >>> In my app, we are trying to use caja to load a number of html fragments >>> (html, css and js) from the same vendor. These 3rd party fragments all use >>> same jquery library. The jquery library is fetched multi times by the proxy >>> server for each guest fragment, each request with a different callback >>> (/proxy?url=http://jquery-1.8.2&input-mime-type=text/javascript&callback=caja_ajax_7&alt=json-in-script). >>> This causes a big delay in loading the fragments. >>> >>> >>> >>> Dose caja come with some capability to cache the common js libraries for >>> guest contents, or allow guests to share common js libraries? Thanks. >> >> >> At a high level of abstraction, this falls into the category of "Caja >> could use a better proxy service", one which functions more like a HTTP >> cache should and without legacy characteristics from the cajoling-service it >> was built into. >> >> However, for the situation you describe, I would recommend that you >> eliminate the need for the proxy: >> >> 1. Have the vendor enable CORS for those resources on their server(s). >> >> 2. In your Caja configuration, set the URI policy (specifically the >> fetcher) so that it uses direct XHR rather than the proxy, either >> unconditionally or specifically recognizing the domain serving the >> fragments. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "Google Caja Discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- James Keane Wishabi.com | 647-460-3634 -- IMPORTANT NOTICE: This message, including any attachments (hereinafter collectively referred to as "Communication"), is intended only for the addressee(s) named above. This Communication may include information that is privileged, confidential and exempt from disclosure under applicable law. If the recipient of this Communication is not the intended recipient, or the employee or agent responsible for delivering this Communication to the intended recipient, you are notified that any dissemination, distribution or copying of this Communication is strictly prohibited. If you have received this Communication in error, please notify the sender immediately by phone or email and permanently delete this Communication from your computer without making a copy. Thank you. -- --- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
