I've been scouring the internet on various occasions for quite a while now trying to figure all of this stuff out. I'm creating a web app where I have users submit JavaScript that they have written to a database, and that JavaScript is then served up and run on the browsers of other users. Obviously the user-submitted JavaScript has the potential to be dangerous. To secure it I run it through Caja, which I know does a lot of fancy stuff including potentially rewriting the code. It is a lot of overhead that I wish could be simpler, but Caja is the best that I've been able to find for me to easily secure my code. I've also heard of SES, and I'm confused. There seems to be no source that explains this well. From what I've been able to gather, SES is what is produced after running initSES.js on some JavaScript code? Apparently the initSES.js process is much simpler than the Cajoling process, because ES5 strict mode code is much easier to secure. So, is there an official version of initSES.js that I can run on ES5 Strict Mode code that will make it completely secure? If not completely secure, how secure would it be? Is anyone using SES code out in the wild? Some clarification would be nice.
If the above was confusing, then to put things more simply and to summarize: I would like to know if I can run user-submitted ES5 Strict Mode code through initSES.js and produce SES code, without the use of Caja. Any clarification will be greatly appreciated, thanks! -- --- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
