fel...@gmail.com
unread,May 24, 2012, 8:13:38 PM5/24/12Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to jas...@gmail.com, meta...@gmail.com, eri...@gmail.com, google-ca...@googlegroups.com, re...@codereview-hr.appspotmail.com
On 2012/05/25 00:04:01, MarkM wrote:
> > This is non-scary because all the relevant tests run fine
> > with the closured versions.
> That's a joke right? (Unless we're assuming that attackers will only
write
> attacks we're already testing ;).)
heh, yes.
caja-minified.js seems to me unproblematic since it doesn't do much
itself that's security-critical, all the security guarantees of caja are
elsewhere.
html-sanitizer-minified.js is more trouble since it does implement
security guarantees, but many of our tests for that are security tests,
and there are places that are already closure-izing html-sanitizer, so I
think we might as bake that into our build/test process.
If we have serious concerns about the potential of Closure to break
security guarantees, I can maintain the distinction between
foo-minified.js and foo-closured.js, and then it's up to the
container/integrator to make that risk choice, but I think that's asking
too much from container implementers, we should handle that risk
ourselves.
http://codereview.appspot.com/6257051/