On Sun, Mar 6, 2016 at 8:13 PM, Nova Tan <[email protected]> wrote:
> caja.load(undefined, uriPolicy, function(frame) {
> frame.code('url-to-javascript', 'application/javascript')
> .api({ document:
> document.getElementById('some-iframe').contentWindow.document; })
> .run();
> });
>
By passing an object in .api() you are exposing it directly to the guest
code, so all of Caja's security mechanisms are bypassed. There are two
issues here.
1. In order to provide a DOM safely and usefully to the guest you must
specify it in caja.load() instead:
caja.load(document.getElementById('some-iframe').contentWindow.document,
uriPolicy, function(frame) {
...
});
2. And in order to use .api safely you must use the taming membrane:
.api({ someName: frame.tame(someObject) })
along with the relevant taming declarations for the type of someObject.
We're aware that this is a hazard and needs to be improved:
https://github.com/google/caja/issues/1693
In your case you do not need to use .api() at all.
--
---
You received this message because you are subscribed to the Google Groups
"Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
