Re: [Caja] Precajoling HTML/JS

On Fri, May 2, 2014 at 11:23 AM, Helen Wu wrote: > I want to do the same thing as mentioned here: > https://groups.google.com/forum/#!msg/google-caja-discuss/ZEF9IupkJnQ/jyJTFuEbrwEJ > > However, I noticed that the post is a bit outdated now and some of the > files that are mentioned don't exist

[Caja] Re: Repair Object.create() & numeric properties bug in IE. (issue 91140043)

On Mon, May 5, 2014 at 5:13 PM, wrote: > I don't think it's wise to use `x` as property to add and delete ... any > generic `Point` class will have most likely an `x` property maybe with a > setter/getter or even worst, a typed value. > ...oops. You're right. When I wrote the fix I was thinking

[Caja] Re: Repair Object.create() & numeric properties bug in IE. (issue 91140043)

On Mon, May 5, 2014 at 5:23 PM, Andrea Giammarchi < andrea.giammar...@gmail.com> wrote: > last reminder is that apparently that operation flags forever the "object > shape" resulting in slower objects during their lifecycle ... although I > don't have many more details on this, it was rather a hin

Re: [Caja] Can I load javascript code into caja from the client side? And, why is the taming of functions necessary?

On Wed, May 28, 2014 at 6:11 AM, Will Caine wrote: > So, I am using some code such as the following to load a piece of > standalone javascript and passing it an API. I have two questions... > > caja.initialize({cajaServer: 'https://caja.appspot.com/', debug: true, > maxAcceptableSeverity: 'NO_KNO

Re: [Caja] Re: Issue 1916 in google-caja: [[ThrowTypeError]] checks don't pass in ES6

Allen Wirfs-Brock : > You tell me, what's the problem. The ES6 spec. says that %ThrowTypeError% > is non-extensible. > http://people.mozilla.org/~jorendorff/es6-draft.html#sec-%throwtypeerror% > > Only possible issue I see, is that perhaps 9.2.8 also needs to say that > the length property is non

Re: [Caja] WeakMap issue

On Thu, May 29, 2014 at 9:59 AM, Kris Kowal wrote: > On an unrelated note, WeakMap in Subversion is now coupled with SES’s > problem/fix system, which are changes I can’t bring to bear with a stand > alone WeakMap shim. The only viable solution may be to manually port all > subsequent patches. Al

Re: [Caja] Re: [google-caja] r5677 committed - Whitelist modern tabindex=....

On Fri, May 23, 2014 at 12:53 PM, wrote: > I've recently noticed a problem with tabindex on anchor tags. > The following line: > ${send.help} > is being altered to: > ${send.help} > in google apps script. Is there an exception case for anchor tags that > overrides the * behavior? > I just check

Re: [Caja] Re: [google-caja] r5677 committed - Whitelist modern tabindex=....

On Tue, Jun 3, 2014 at 4:34 PM, Mike Stay wrote: > In particular, that behavior does not occur on the Caja playground, so > it is an issue for apps script. > Actually, the playground hasn't been updated since the revision we're discussing was committed. I'm making a note to fix that. -- ---

Re: [Caja] Re: [google-caja] r5677 committed - Whitelist modern tabindex=....

On Tue, Jun 3, 2014 at 4:36 PM, Kevin Reid wrote: > On Tue, Jun 3, 2014 at 4:34 PM, Mike Stay wrote: > >> In particular, that behavior does not occur on the Caja playground, so >> it is an issue for apps script. >> > > Actually, the playground hasn't been updated since the revision we're > discu

Re: [Caja] Re: Issue 1916 in google-caja: [[ThrowTypeError]] checks don't pass in ES6

[re-adding list since it isn't just a ping now] On Mon, Jun 16, 2014 at 11:41 AM, Allen Wirfs-Brock wrote: > I just added the following to > http://people.mozilla.org/~jorendorff/es6-draft.html#sec-%throwtypeerror% in > my working draft: > > The length property of a %ThrowTypeError% function ha

Re: [Caja] Run caja locally and use eval in the guest

On Sun, Jun 15, 2014 at 12:41 PM, wrote: > In my app I want to use caja to display untrusted user code inside a div. > The code need to load images and fonts dynamically and to include js using > dynamic script tags. > All assets will be hosted on the same domain as the host page. > > Are there i

Re: [Caja] is the developers.google.com/caja/ up code examples upto date?

On Mon, Jun 30, 2014 at 10:18 AM, Randy Paries wrote: > When i follow the coding examples @ > https://developers.google.com/caja/docs/gettingstarted/ , there is no > mention of ses-single-frame.js and all the examples have reference to > https://caja.appspot.com > > So are there more up todate ex

Re: [Caja] Run caja locally and use eval in the guest

On Sun, Jun 22, 2014 at 6:40 AM, wrote: > I'm getting the following errors in FF 30 console: > The character encoding of the HTML document was not declared. The document > will render with garbled text in some browser configurations if the > document contains characters from outside the US-ASCII

Re: [Caja] Run caja locally and use eval in the guest

On Thu, Jul 3, 2014 at 1:42 AM, pablo platt wrote: > I've added "fetch: caja.policy.net.fetcher.USE_XHR" to the uriPolicy > Now it's able to get player.js but I'm getting "TypeError: ca is undefined > in source". > [...] > "Uncaught script error: TypeError: ca is undefined in source: " > http:/

Re: [Caja] Can I run the caja web server on windows?

On Thu, Jul 3, 2014 at 7:49 AM, Ryan Litvak wrote: > I have a need to run custom end user developed scripts from an intranet > application. I was looking to use Caja because it does exactly what I > need, however, I can't use https://caja.appspot.com/ for the cajaServer > so I was starting to lo

Re: [Caja] Cache common js libraries (e.g. jquery) for guests

On Mon, Jun 30, 2014 at 7:47 AM, crystal wrote: > Hi, > > In my app, we are trying to use caja to load a number of html fragments > (html, css and js) from the same vendor. These 3rd party fragments all use > same jquery library. The jquery library is fetched multi times by the proxy > server for

Re: [Caja] Having problems trying to self host caja

On Mon, Jul 14, 2014 at 7:22 AM, Ryan Litvak wrote: > My goal is to allow our users to upload custom scripts to extend the > functionality of our existing system. Essentially, at specific trigger > points they can tie in scripts. For those triggers I want to run their > code in caja so I can sa

Re: [Caja] Re: Object.observe() is part of Chrome 36

On Thu, Jul 17, 2014 at 10:15 AM, Mike Stay wrote: > Does this impact the weakmap emulation? Observation: WeakMap has also been enabled, so the emulation will not be used in this case. However, WeakMap.js should, for correctness, do one of: 1. patching Object.observe to suppress the hidden nam

Re: [Caja] Any way to mark an object not to be tamed in a cross-boundary call? Passing standard arrays between host and guest

On Mon, Jul 28, 2014 at 7:00 PM, Tim Shnaider wrote: > If event = [], I can not call any methods such as push: > > function timerFired(event) { > event.push(1); > } > > => TypeError: Can't add property 0, object is not extensible > > Do I need to provide special wrappers for Arrays that

Re: [Caja] Handling uncaught exceptions when executing pure JS functions

On Sun, Jul 27, 2014 at 5:18 AM, Tim Shnaider wrote: > What am I missing - there seems to be no mechanism to catch or handle > exceptions when executing pure JS > Trying to support user definable scripts so I've no control over content. > Do I need to wrap it in try/catch blocks? > The main "run

Re: [Caja] Re: An emulated function should have the same length as the original. (issue 121970043 by erig...@gmail.com)

On Mon, Aug 4, 2014 at 10:36 AM, wrote: > On 2014/08/04 17:33:17, kpreid2 wrote: > >> Oops. I forgot to mention: the change description needed to be >> > updated! > > I am surprised that it let me edit after the issue was closed, but it > did. Done. That doesn't modify the SVN commit message, w

Re: [Caja] Is Caja Gwt Client side ready ?

On Thu, Aug 7, 2014 at 10:48 PM, Debasish Padhy wrote: > I am keen to use the Caja on Gwt Client side to validate some scripts and > to parse CSS into a Dom tree. > > Can I use it with Gwt Client ? > > On a side note I found references to this class > com.google.caja.parser.css.CssTree.StyleShee

Re: [Caja] Is Caja Gwt Client side ready ?

On Sat, Aug 9, 2014 at 3:52 AM, Debasish Padhy wrote: > Thanks Kevin. From where this .js file is generated ? Gwt/java client code > or else or is it already written somewhere ? > Here's an excerpt of the build rule (in build.xml) which generates it:

Re: [Caja] Re: DATA TABLE TOOLS NOT WORKING IN GAS SCRIPT

Sorry I didn't get back to you sooner. Unfortunately, Flash is not currently supported. Please see my response on the issue you opened ( https://code.google.com/p/google-caja/issues/detail?id=1929 ) for more information. On Fri, Aug 8, 2014 at 11:12 PM, Saradambal Munusamy < saradambal.munus...@s

Re: [Caja] Re: Issue 1929 in google-caja: DATA TABLE TOOLS NOT WORKING IN CAJA

On Mon, Aug 11, 2014 at 9:57 PM, Mike Stay wrote: > On Mon, Aug 11, 2014 at 9:12 PM, wrote: > > > > Comment #2 on issue 1929 by saradamb...@ssomens.com: DATA TABLE TOOLS > NOT > > WORKING IN CAJA > > http://code.google.com/p/google-caja/issues/detail?id=1929 > > > > Hi, > > Thanks a lot for y

Re: [Caja] Rich-text editors compatible with Caja

On Tue, Aug 12, 2014 at 5:04 PM, Andrew Stillman wrote: > Before I lose faith, can anyone comment on whether there a known or > documented compatible rich text editor for Caja? > Unfortunately, most rich text editor components depend on the "contenteditable" browser feature, which is difficult i

Re: [Caja] HTML5 File API

On Tue, Aug 12, 2014 at 10:31 PM, Jay wrote: > Hello. > Are there any plans to provide support for the HTML5 File API? > There are no current plans to do so. Contributions of patches to support new features (securely) are of course welcome. -- --- You received this message because you are s

Re: [Caja] Function constructor DOS on Safari

On Thu, Aug 14, 2014 at 1:59 PM, Mike Stay wrote: > Guest code can crash the browser. It may be further exploitable with more > cleverness. > https://bugs.webkit.org/show_bug.cgi?id=131137 > For reference, "When using the Function constructor to create a function with the string "})({", the in

[Caja] Caja Security Advisory 2014-09-22

== Background == The so-called “Rosetta Flash” vulnerability can occur when a web server allows the attacker to control the first bytes of the response, even if they are limited to being ASCII alphanumeric characters. The response can be made to be interpreted as Flash content, allowing the attack

Re: [Caja] Latest client side version

On Sun, Oct 19, 2014 at 2:29 PM, Tim Shnaider wrote: > Is there a handy repository for the latest built version kept up to date > with commits? > Not currently. I'm using the pure client side version 5687 and it's throwing an error in > Chrome 38 saying ES5 is not supported in the browser. > V

Re: [Caja] Latest client side version

On Mon, Oct 20, 2014 at 11:17 AM, Tim Shnaider wrote: > Can you please help me with getting a built 5702, I don't even see any > instructions on building just the client side plugin. > Unfortunately there's no good way to build _exactly_ that. "ant jars-no-src" is the smallest build target that

Re: [Caja] How to remove position: absolute

On Wed, Dec 31, 2014 at 12:34 AM, Dusan Halicky wrote: > I am new to caja. I am using minified version of caja > (html-sanitizer-minified.js) from current SVN (r5706). How can I remove > position: absolute? When I call this: > > html_sanitize('test') > > It returns: > > test > > How do I remove i

Re: [Caja] Please caja editor to stop stripping structured data for rich snippets

On Mon, Dec 29, 2014 at 6:18 PM, Peter Chien < peterchienmd...@lumosdermatology.com> wrote: > I tried to include microdata following the guidelines here > https://support.google.com/webmasters/answer/99170?hl=en > and then tried to create it using this tool: > https://www.google.com/webmasters/mar

Re: [Caja] Error opening a url

On Fri, Jan 2, 2015 at 3:58 PM, Vasilis Sikkis wrote: > can anyone explain to me how to fixthis problem? > WARNING(4) FAILED_TO_LOAD_EXTERNAL_URL: unknown:///unknown:0+0: failed to > load external url > i have the js file in server of my university but i cant load it to the > caja.load() function

Re: [Caja] Re: Uncaught TypeError: Cannot read property 'nodeType' of undefined - AngularJS directive

On Fri, Jan 30, 2015 at 3:49 PM, Jordan Last wrote: > I've found a work-around. I haven't tested it much, but it at least > finishes off the caja.load from my example. I would like to know if my > solution is suitable (not dangerous to security) and if this is a problem > that needs to be fixed w

Re: [Caja] Re: Understanding the difference between Google Caja and Secure ECMAScript (SES), and if SES is ready to use

On Wed, Feb 4, 2015 at 11:03 AM, Jordan Last wrote: > That's the basic idea. The security issues arise with serving up > user-submitted practice problems to other users. Right now I have an > endpoint that Caja on the client's machine hits to grab the JavaScript for > a problem. It then does its

Re: [Caja] Re: Understanding the difference between Google Caja and Secure ECMAScript (SES), and if SES is ready to use

On Wed, Feb 4, 2015 at 12:10 PM, Jordan Last wrote: > Okay, so new theory: > > I'll run initSES.js on my client page. Now that page is a secure > environment. I'll either hit my endpoint or have the user-submitted > JavaScript on the client somehow already. > > The code that I write and is alread

Re: [Caja] Error opening a url

On Sat, Feb 7, 2015 at 7:52 AM, Vasilis Sikkis wrote: > Im trying the tutorial examples on the caja website i put the tutorials in > my server space but the caja.policy.net.ALL policy does not fix the problem. > Can you provide a link to your server so we can take a look at what's going on? --

Re: [Caja] Caja sanitizer removes data-attributes

On Wed, Mar 11, 2015 at 6:34 PM, anil chaurasia wrote: > for some reason Caja sanitizer removed all the data-attributes which were > present. > > All the data-attributes were safe and valid, Is there a way to customize > sanitizer to not do that ? > Unfortunately, there's no way to just turn t

Re: [Caja] Hide "back" and "forward" text from mainmenu

On Fri, Mar 13, 2015 at 2:30 AM, Pol Hallen wrote: > I use caja 1.8.2 (debian testing), is there a way to hide "back" and > "forward" text from mainmenu? > Sorry, but it sounds like you're using some other program called caja and you've found the wrong group for support. We're a web content san

Re: [Caja] Running basic example with third party domain

On Fri, Mar 20, 2015 at 4:47 AM, Tomasz Wysocki wrote: > I have created simple jsfiddle based on example in documentation: > > https://jsfiddle.net/xz2p5c3j/ > > The problem is that Caja JavaScript tries to fetch html directly, and that > ends as "Cross-Origin Request Blocked". > > How to force i

Re: [Caja] Error opening a url

No, Caja doesn't have special requirements of the web server its files are on. Oh, but maybe you have a cross-origin policy. If you're trying to load content using Caja from a third-party site (rather, one with a different domain name), then either you need to use a proxy (there's one supplied wit

[Caja] PLEASE HELP REVIEW project migration to GitHub

*Everyone: Please browse around in* *https://github.com/kpreid/caja-import-draft * *and reply if you see anything wrong with it.* Since Google Code Project Hosting is shutting down, we're moving to GitHub. I've done my best to migrate the bulk of the

Re: [Caja] PLEASE HELP REVIEW project migration to GitHub

On Thu, Apr 16, 2015 at 11:31 AM, Mike Stay wrote: > The only thing I see missing in the new issues is who changed which > labels, but I don't think that's a big deal. > Yes, known issue. Label changes could be put in the text, and it'd remove some "blank comments", but it didn't seem really wor

Re: [Caja] PLEASE HELP REVIEW project migration to GitHub

On Thu, Apr 16, 2015 at 12:05 PM, Mark Miller wrote: > Missing README home page. > Yes, that's a “one-off” thing which will be a manual fix for later. Right now, I need to know that there are not irreparable systematic errors in the bulk content (issues, code, wiki). -- --- You received this

[Caja] Google Code to GitHub migration notes

I am currently working on the complete migration of Caja from Google Code Project hosting to GitHub. (For information on the shutdown of Google Code Project Hosting, see: http://google-opensource.blogspot.com/2015/03/farewell-to-google-code.html ) I will be using this thread to document the steps I

Re: [Caja] caja.js error with fetch and render for mobile

On Mon, Apr 20, 2015 at 6:05 PM, Raj wrote: > So I ran the Mobile-Friendly Test for my website and noticed that it was > not rendered as desired for smartphones. I went to Webmaster Tools to > investigate further and found the following error: > It appears that the left sidebar on the website (as

[Caja] Re: ES5/3 compatibility fixes for native accessor properties and Error inheritance. (issue 247900043 by kpr...@google.com)

Mike Stay, I'm asking you to take a look at this because it's touching ES5/3 and I don't fully understand the code as it exists. In particular, is the change to markFunc safe? The ok___ test was introduced in r4822 < https://github.com/google/caja/commit/8cae568538b1b6a5eaca5ee886eb2a250a5fe606> b

[Caja] SES: Why do the mitigation options have two different sets of defaults?

In startSES.js, we have the following function which normalizes the mitigation options. If it is passed null/undefined, parseFunctionBody will be true, but if it is passed {}, parseFunctionBody will be false. Why? The context of this question is that I was considering using the sourceUrl option wh

Re: [Caja] Using caja.appspot.com in production?

On Mon, Jun 29, 2015 at 12:55 PM, Adam Pritchard wrote: > On Friday we rolled out a test of using Caja on a small-ish set of the > site(s) we serve. We had pre-cajoled the content (1 req/15 mins), and were > using caja.appspot.com/caja.js to put the content into the page. Shortly > thereafter, ca

Re: [Caja] Using caja.appspot.com in production?

On Tue, Jun 30, 2015 at 1:16 PM, Adam Pritchard wrote: > Well, don't I feel super dumb. > > Except... Where are the JS files? I can't find them linked to on the > product site, nor from the playground, nor can I find compiled versions of > them in Github. I tried to pull source to maybe build the

Re: [Caja] Using SES

On Jul 12, 2015 12:56, "Mike Stay" wrote: > > Is SES hosted minified on a CDN somewhere? I don't know of any such intended for public use, currently. -- --- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. To unsubscribe from this group a

Re: [Caja] Is there any replacement for unwrapDom ?

On Wed, Jul 22, 2015 at 6:43 AM, Tassos Bassoukos wrote: > Hi all, > in the API referenced from https://developers.google.com/caja/ there is a > function named unwrapDom that allows one to get the actual DOM element from > a tamed value; however that code no longer works as written, and the > unw

Re: [Caja] SES: Why do the mitigation options have two different sets of defaults?

On Sun, Jun 21, 2015 at 4:03 PM, Mark Miller wrote: > On Fri, Jun 19, 2015 at 3:02 PM, 'Kevin Reid' via Google Caja Discuss < > google-caja-discuss@googlegroups.com > <https://mail.google.com/mail/?view=cm&fs=1&tf=1&to=google-caja-discuss@googlegroups.com>

Re: [Caja] Is Google Caja still alive?

On Mon, Jan 18, 2016 at 2:03 AM, John Bosley wrote: > I'm really interested in Google Caja, but the playground appears to be > completely broken , I'm just getting "Error: > Server error" messages, and I see that someone reported this on the GitHub > site back in Septemb

[Caja] Caja Security Advisory 2016-01-28

## Background In certain cases, HTML elements can be “named” in ways which are reflected as properties of DOM nodes, possibly overriding the normal values of particular properties. Caja's DOM sandbox was not sufficiently aware of this, leading to exposing a host DOM node directly to the guest give

Re: [Caja] URI policy on guest javascript code not working

On Sun, Mar 6, 2016 at 8:13 PM, Nova Tan wrote: > caja.load(undefined, uriPolicy, function(frame) { > frame.code('url-to-javascript', 'application/javascript') >.api({ document: > document.getElementById('some-iframe').contentWindow.document; }) >.run(); > }); > By passing an o

Re: [Caja] URI policy on guest javascript code not working

On Tue, Mar 15, 2016 at 9:38 PM, Nova Tan wrote: > Thanks for the response, sorry I only saw it today. I tried the snippet > you posted as well but couldn't get it to work. Basically I used the > snippet below: > caja.load(document.getElementById('some-iframe').contentWindow.document, > uriPolicy

Re: [Caja] URI policy on guest javascript code not working

On Wed, Mar 16, 2016 at 11:31 PM, Nova Tan wrote: > Thanks Kevin, is there any work around if I don't have control of the > content? > Sorry, no. If you're adventurous enough to look into improving the relevant Caja subsystems to support things like this (or fix the bug, whichever it turns out t

[Caja] Re: ES6 changed to exempt more primordials prototypes from being plain object. (issue 288270043 by erig...@gmail.com)

On Mon, Feb 22, 2016 at 7:04 PM, Mark Miller wrote: > Nevermind. It is telling me the time that these changes were committed > anywhere, not when they were pushed to github, right? > Yes, exactly. More than you wanted to know: There are two dates in git commit data, the "author date" and the "c

Re: [Caja] Pass DOM from the guest to host or vice versa

On Sat, Apr 16, 2016 at 7:14 AM, Melisa Bok wrote: > I'm wanting to generate some tools to create DOM objects in the host place > and return the object created to the guest. I tried with several options > and I couldn't. Here is my code: > ... > var div = document.createElement("div"); >

Re: [Caja] Pass DOM from the guest to host or vice versa

On Tue, Apr 19, 2016 at 5:54 AM, Melisa Bok wrote: > Thanks Kevin for your response. > > I replace the line: > > return caja.tame(div); > > with: > > return frame.domicile.tameNodeAsForeign(div); > > I'm still getting the same error: This operation requires a TameBackedNode > when I try to append

[Caja] Caja Security Advisory 2016-04-21

## Background There are two issues covered by this advisory: * SES did not correctly understand variable names written using escaped characters, e.g. `\u0077indow`, and did not recognize at all the new `\u{...}` syntax introduced by ECMAScript 2015. This allowed access to host global variables (s

Re: [Caja] How to pass HTML/JS data from DB to caja

On Sat, Apr 30, 2016 at 2:44 PM, eqSan wrote: > I'm trying to call stored html from DB and pass it as content to > frame.code like this: > > > > caja.initialize({ > cajaServer: 'https://caja.appspot.com/' > });

Re: [Caja] Can Caja still be used in production?

On Mon, May 23, 2016 at 2:57 AM, 'Lukas Bombach' via Google Caja Discuss < google-caja-discuss@googlegroups.com> wrote: > Hi there, > > we can really make use of this project (or something similar) at welt.de > one of Germany's biggest daily newspapers. I have been told on GitHub >

Re: [Caja] Can Caja still be used in production?

On Tue, May 24, 2016 at 3:48 AM, 'Lukas Bombach' via Google Caja Discuss < google-caja-discuss@googlegroups.com> wrote: > Ok this is very helpful, thank you very much. > > The reason we don't want iFrames is performance and interactivity. Not > only do they load slower (ok Caja does too, but we ar

[Caja] Caja security advisory 2016-05-31

## Background For applications which used the Google API tamings (not enabled by default), the taming of the `google.load` function did not sanitize its arguments sufficiently. ## Impact and Advice The vulnerability allows invoking arbitrary functions on the host page that can be accessed throug

Re: [Caja] Do iframes with src still work in Caja?

On Thu, Mar 23, 2017 at 1:49 AM, Tapan Anand wrote: > Does caja support the src attribute of iframe? I see the iframe tag > whitelisted in the whitelist file (html4-elements-whitelist.json) but > when I try to run the code that I have shared in this plunker: > https://plnkr.co/edit/dQoxqpZBGTUNe0

Re: [Caja] Add third party scripts to guest code.

On Thu, Apr 13, 2017 at 4:39 AM, Vinod Patel wrote: > is it possible to add third party scripts to Caja Guest code? > > I want to use http://www.fusioncharts.com/ and ExtJS in guest code. > Caja itself doesn't make any "third party" distinction. It is a question of whether the host's policy allo

Re: [Caja] Allow full display and interaction with Html Emails

On Fri, Apr 14, 2017 at 2:48 AM, felbus wrote: > caja.load(document.getElementById('messagebox'), undefined, function(frame) { > frame.code(contentUrl, 'text/html').run(); > }); > > > When it is rendered on the page, the images and hrefs are all stripped > out. So you cannot see images or cli

Re: [Caja] allow base64 data uri

On Mon, Apr 17, 2017 at 1:39 AM, felbus wrote: > im tryng to display images inline in an html email with caja, and the > security policy seems to be stripping out all the encoded data. > data: URLs are not supported at all. We'd be interested in someone contributing the feature. It would invol

Re: [Caja] how to unescape the content of guest before run?

On Sun, Apr 30, 2017 at 10:11 PM, o x wrote: > how to unescape the content [for] guest before run? > i stored the content in escape string data and Caja load that content at > it is. > i wounder how to unescape the text content before Caja sanitize the text. > Could you explain what type of esca

Re: [Caja] how to unescape the content of guest before run?

You'll have to arrange for whatever unescaping you need yourself. On Mon, May 1, 2017 at 10:01 PM, o x wrote: > thank you for last replay. > so the .JS client post the escape html content (an advertisement content) > to asp.net server side. > the server store the content in xxx1.txt file, > the

Re: [Caja] load caja from iframes and load the caja lib ones in window.parent.caja

On Tue, May 2, 2017 at 12:53 AM, o x wrote: > hello > i have a few iFrames loading the Caja lib.. > so i have tried to load the lib from the parent page, but something get > wrong.. > [...] > i got this on the consul: > Uncaught TypeError: Cannot set property 'plugin_dispatchEvent___' of > undef

Re: [Caja] Re: Reusing DIVs.

On Thu, May 25, 2017 at 6:00 AM, Bert Lagaisse wrote: > I have a similar question. I'm trying to unload a frame (and containing > div), which has an interval in it. For some reason, the interval keeps > firing if I remove the div from the hostpage. > Is it possible to "unload" a guest page, or co

Re: [Caja] Feature request: add 'allow-geolocation' to IFRAME sandbox mode in HtmlService

On Wed, Nov 1, 2017 at 8:20 AM, My Routes wrote: > > In order for a cross-origin frame to use these feature, the Google Script > HtmlService based frame must specify a Feature Policy which enables the > feature for the frame. For example, to enable geolocation in an iframe the > developer should b

[Caja] Caja Security Advisory 2017-11-14

## Background Browsers have recently added new language features which allow executing code from a string: * the "import" expression, and * async functions and async generators (rather, the corresponding constructors of such functions). SES, being unaware of these features, could not prevent the

Re: [Caja] Script inclusion error

For what it's worth, I don't see anything obviously wrong with your code. I will have to see if I can reproduce the problem, but I do not expect to have time to investigate today. On Wed, Feb 7, 2018 at 10:05 AM, Marc H wrote: > This is a continuation of over here >

Re: [Caja] Script inclusion error

Got it. I gave you misspelled code, sorry. Try: var uriPolicy = { fetch: caja.policy.net.fetcher.USE_XHR, rewrite: caja.policy.net.rewriter.ALL }; Note 'fetch' and 'rewrite' instead of 'fetcher' and 'rewriter' in the property names. (Your script will also not work because it tries to access

Re: [Caja] Script inclusion error

On Fri, Feb 9, 2018 at 12:22 PM, Marc H wrote: > Thanks so much the snippet now works! Now I am trying to integrate this > with my project, which uses a framework called "A-Frame" for games and I > have run into another problem. > > When I include the framework script, (I believe) it tries to add

Re: [Caja] Dynamic guest page embedding

On Fri, Feb 9, 2018 at 12:32 PM, Marc H wrote: > I am trying to use Caja to sandbox users' games, to prevent malicious code > from being run, however when using Caja you us separate host and guest > pages eg. example.com/host and example.com/guest > > My concern is that an attacker could simply l

Re: [Caja] Script inclusion error

On Sun, Feb 11, 2018 at 2:47 AM, Marc H wrote: > Is there any workaround, or way to give the guest script access to these > objects? > No. Prohibiting such modifications is a central part of Caja's security strategy. -- --- You received this message because you are subscribed to the Google G

[Caja] Caja Security Advisory 2018-04-02

## Background Caja contains an optional feature, in the deprecated ES5/3 mode, to allow embedding Flash content. To do this, Caja has to specify options to prohibit the Flash content from being able to interact with the host page, bypassing the sandbox. A means was found to override this option.

Re: [Caja] sanitized eval with Caja

On Fri, Jan 11, 2019 at 7:12 AM Mike Stay wrote: > Also, is caja-discuss-undisclosed still the place to learn about the > security holes, or is there a new mailing list for those? > If you want to follow vulnerability information then google-caja-discuss contains all the public announcements. I

Re: [Caja] sanitized eval with Caja

On Sun, Jan 13, 2019 at 5:21 AM Yehonathan Sharvit wrote: > Can you please send a link to the public announcements about the security > holes in Caja? The announcements are cataloged at https://github.com/google/caja/wiki/SecurityAdvisories. -- --- You received this message because you are

[Caja] Re: Public disclosure of responsibly disclosed SES bugs

[bcc all lists except main Caja to reduce complexity since this is strictly Caja] On Tue, Jan 15, 2019 at 4:14 PM Mark Miller wrote: > https://github.com/tc39/proposal-realms/issues/193 ... The first should > affect Caja/original-SES as well. > If I understand correctly, this should not affect

[Caja] Caja Security Advisory 2019-06-06

## Background When guest HTML contains an element that is not permitted by Caja's whitelist, it is renamed to a custom element (e.g. `` becomes ``) so that it may exist in the DOM without having any of the side effects of the original name. However, such renaming could change how the text content

Re: [Caja] Caja performance recommendations

On Fri, Jan 10, 2020 at 10:40 AM 'Mike Power' via Google Caja Discuss < google-caja-discuss@googlegroups.com> wrote: > I have seen in posts (dated back in 2016) that caja can be very heavy > weight. Is there any documentation/data describing this? What are the best > ways to mitigate this? Has t