On Wed, Feb 4, 2015 at 12:10 PM, Jordan Last <[email protected]> wrote:
> Okay, so new theory: > > I'll run initSES.js on my client page. Now that page is a secure > environment. I'll either hit my endpoint or have the user-submitted > JavaScript on the client somehow already. > > The code that I write and is already present before running initSES.js > interacts with the DOM based on the result of the user-submitted > JavaScript, but since the user-submitted code doesn't interact with the > DOM, do I need to use Caja? > Strictly speaking, no. However, Caja does provide some conveniences (the taming membrane) for interactions between legacy not-SES-aware code and untrusted code. If you're using pure SES, you'll want to protect (cajaVM.def ) all the objects which might get passed to untrusted code, and make sure they don't have any (inherited, say) methods you don't want the code to be able to call. > If not, I can just eval my the user-submitted code, and then my code can > use the result to update the DOM. > Yes, but you need to use the eval provided by SES. Builtin eval() still hands the global scope (and thus DOM access and everything) to the code. -- --- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
