The site hosting Caja determines the properties of the accessible primordial objects, i.e., the objects such as Number.prototype, that all Caja guest objects get implicit access to. The default includes all properties specified by EcmaScript 5 (ES5) plus some other ES6 and some de facto properties, as enumerated at https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/whitelist.js
If you are writing guest code to run on someone else's host, then you are subject to their decisions about what should be included. If you are the host, you *can* add your enhancements to Number.prototype, by loading these prior to loading Caja, and by enumerating your enhancements in whitelist.js. However, we encourage you not to. If you do, please be careful! All mutually suspicious code loaded into that Caja context (frame/realm) share access to these enhancements of your's, so it becomes your responsibility to ensure that these enhancements do not introduce vulnerabilities. If you explain the nature of the enhancements you'd like to add to Number.prototype, we could help advise on the vulnerability issues that adding these might introduce. On Mon, Mar 30, 2015 at 9:26 AM, Jordan Last <[email protected]> wrote: > For my project it would be really nice to add methods to Number.prototype > (or Object.prototype, but preferably Number.prototype), but Caja does not > seem to allow it. I've been fiddling a bit with the built source code, but > I can't seem to figure it out. Is there a safe way to do this? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "Google Caja Discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Cheers, --MarkM -- --- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
