Re: [Caja] URI policy on guest javascript code not working

Tue, 15 Mar 2016 21:39:07 -0700 

Hey Kevin,

Thanks for the response, sorry I only saw it today. I tried the snippet you 
posted as well but couldn't get it to work. Basically I used the snippet 
below:
caja.load(document.getElementById('some-iframe').contentWindow.document, 
uriPolicy, function(frame) {
  frame.code('http://localhost:8080/bla.js', 
'application/javascript').run();
});

With the same javascript response:
document.writeln("<SCRIPT language='JavaScript1.1' SRC=\"
https://ad.doubleclick.net/some-ad\";>");
document.writeln("</SCRIPT>");

I get this error: Uncaught script error: Uncaught Error: shouldn't happen: 
start tag <script...> while in text insertion mode for SCRIPT in source: 
"http://localhost:8080/bla.js";

Any insights? Thanks.

On Tuesday, March 8, 2016 at 5:48:30 AM UTC+11, Kevin Reid wrote:
>
> On Sun, Mar 6, 2016 at 8:13 PM, Nova Tan <[email protected] <javascript:>> 
> wrote:
>
>> caja.load(undefined, uriPolicy, function(frame) {
>>   frame.code('url-to-javascript', 'application/javascript')
>>        .api({ document: 
>> document.getElementById('some-iframe').contentWindow.document; })
>>        .run();
>> });
>>
>
> By passing an object in .api() you are exposing it directly to the guest 
> code, so all of Caja's security mechanisms are bypassed. There are two 
> issues here.
>
> 1. In order to provide a DOM safely and usefully to the guest you must 
> specify it in caja.load() instead:
>
> caja.load(document.getElementById('some-iframe').contentWindow.document, 
> uriPolicy, function(frame) {
>    ...
> });
>
> 2. And in order to use .api safely you must use the taming membrane:
>       .api({ someName: frame.tame(someObject) })
> along with the relevant taming declarations for the type of someObject.
> We're aware that this is a hazard and needs to be improved: 
> https://github.com/google/caja/issues/1693
>
> In your case you do not need to use .api() at all.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to