The forum seems to be less responsive than the google group. I am posting my question again here:
Still under development: do not use for production systems yet, there are known security holes that need to be closed. Are the current security holes in SES relevant to the Klipse use case? On Thu, Jan 10, 2019 at 10:12 AM Yehonathan Sharvit <[email protected]> wrote: > Sounds good! > > On Tue, Jan 8, 2019 at 9:35 PM Mark Miller <[email protected]> wrote: > >> Hi Yehonathan, >> >> Brian Warner just posted a response at >> https://ocapjs.org/t/using-ses-to-protect-klipse/40 >> >> Please let's continue the discussion there. Thanks! >> >> >> >> On Tue, Jan 8, 2019 at 10:54 AM Yehonathan Sharvit <[email protected]> >> wrote: >> >>> Can you provide a standalone js file of SES and what should be the >>> function to call in order to achieve a sanitized eval? >>> >>> On Tuesday, 8 January 2019 00:16:07 UTC+2, MarkM wrote: >>>> >>>> Yes, SES is exactly the right tool for that purpose. As you have >>>> questions or feedback, please file issues at >>>> https://github.com/Agoric/SES or post to https://ocapjs.org >>>> >>>> Good luck with this project, and thanks! >>>> >>>> >>>> On Mon, Jan 7, 2019 at 1:53 PM Yehonathan Sharvit <[email protected]> >>>> wrote: >>>> >>>>> My use case is Klipse <https://github.com/viebel/klipse>, a >>>>> javascript plugin that allows interactive code snippets to be embedded on >>>>> a >>>>> web page. >>>>> I'd like to all blog platforms liks medium or dev.to to integrate >>>>> with Klipse. >>>>> My concern is that a malicious blog writer will write a malicious code >>>>> snippet and use Klipse to evaluate the code snippet on the browser of blog >>>>> readers. >>>>> >>>>> I am looking of a way to sanitize the evaluation function that Klipse >>>>> uses to evaluate the code snippets. >>>>> >>>>> Could I use SES for the purpose of Klipse? >>>>> >>>>> Please let me know if you need further clarifications. >>>>> >>>>> >>>>> On Mon, Jan 7, 2019 at 9:59 PM Mark Miller <[email protected]> wrote: >>>>> >>>>>> We have set up a Discourse site at https://ocapjs.org/ for >>>>>> discussing object-capabilities (ocaps) for JavaScript. I suggest that >>>>>> further discussion on this topic should move there. >>>>>> >>>>>> >>>>>> >>>>>> On Mon, Jan 7, 2019 at 11:51 AM Mark Miller <[email protected]> wrote: >>>>>> >>>>>>> Hi Yehonathan, >>>>>>> >>>>>>> From your description, I suspect you want the SES library at >>>>>>> https://github.com/Agoric/SES rather than Caja. >>>>>>> >>>>>>> Caja contains the original-SES, which still works fine, but mostly >>>>>>> supports only the features from EcmaScript 5 with a few select elements >>>>>>> of >>>>>>> EcmaScript 6. >>>>>>> >>>>>>> SES is built on modern JavaScript and supports modern JavaScript --- >>>>>>> including all of the EcmaScript 2018 standard. It is also much faster >>>>>>> than >>>>>>> the original-SES in Caja. SES is a joint effort of Agoric and >>>>>>> Salesforce. >>>>>>> Unlike Caja, SES runs everywhere modern JavaScript runs, including both >>>>>>> browser and Node. See >>>>>>> https://www.youtube.com/watch?v=3ME7oHHQbuM >>>>>>> >>>>>>> https://www.youtube.com/watch?v=9Snbss_tawI&list=PLKr-mvz8uvUgybLg53lgXSeLOp4BiwvB2 >>>>>>> >>>>>>> https://www.youtube.com/watch?v=mSNxsn0pK74&list=PLKr-mvz8uvUgybLg53lgXSeLOp4BiwvB2 >>>>>>> >>>>>>> OTOH, Caja contains Domado, which is a taming of the browser and DOM >>>>>>> APIs, so that you can give your untrusted code access to a subtree of >>>>>>> you >>>>>>> DOM tree. We expect to reproduce this functionality eventually on modern >>>>>>> SES but, currently, we are not treating it as urgent. If you need Domado >>>>>>> functionality in order to use SES rather than Caja, please let us know. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Mon, Jan 7, 2019 at 8:19 AM Mike Stay <[email protected]> wrote: >>>>>>> >>>>>>>> Yes, this is what Caja was designed to do. You may not need all of >>>>>>>> Caja, though. Can you tell us more about what you'd like to allow >>>>>>>> them to do? >>>>>>>> >>>>>>>> On Mon, Jan 7, 2019 at 8:32 AM Yehonathan Sharvit <[email protected]> >>>>>>>> wrote: >>>>>>>> > >>>>>>>> > Hello Caja folks, >>>>>>>> > >>>>>>>> > I'd like to allow users to eval javascript code snippets on my >>>>>>>> website. >>>>>>>> > But eval is too dangerous. >>>>>>>> > >>>>>>>> > I was thinking of using Caja to provide a sanitized version of >>>>>>>> eval. >>>>>>>> > >>>>>>>> > Is it possible with caja to evaluate dynamic code snippets >>>>>>>> provided by users? >>>>>>>> > If yes, how? >>>>>>>> > >>>>>>>> > Thanks, >>>>>>>> > Yehonathan >>>>>>>> > >>>>>>>> > -- >>>>>>>> > >>>>>>>> > --- >>>>>>>> > You received this message because you are subscribed to the >>>>>>>> Google Groups "Google Caja Discuss" group. >>>>>>>> > To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> > For more options, visit https://groups.google.com/d/optout. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Mike Stay - [email protected] >>>>>>>> http://math.ucr.edu/~mike >>>>>>>> https://reperiendi.wordpress.com >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> --- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "Google Caja Discuss" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Cheers, >>>>>>> --MarkM >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Cheers, >>>>>> --MarkM >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Google Caja Discuss" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Google Caja Discuss" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> >>>> -- >>>> Cheers, >>>> --MarkM >>>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "Google Caja Discuss" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> >> -- >> Cheers, >> --MarkM >> > -- --- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
