Reviewers: kpreid2,
Description:
Fixes
https://code.google.com/p/google-caja/issues/detail?id=1962 by
working around
https://bugzilla.mozilla.org/show_bug.cgi?id=1152550,
which is currently causing cross-frame for/in to fail on some FF
betas.
Also change the whitelisting of %Generator%.prototype(.next, .return,
.throw) from t to *, since inheriting these should be safe.
NOTE: Not tested yet. Not to be submitted until tested.
Please review this at
https://codereview.appspot.com/222570043/
Affected files (+8, -4 lines):
M src/com/google/caja/ses/whitelist.js
Index: src/com/google/caja/ses/whitelist.js
===================================================================
--- src/com/google/caja/ses/whitelist.js (revision 5722)
+++ src/com/google/caja/ses/whitelist.js (working copy)
@@ -121,7 +121,10 @@
anonIntrinsics: {
ThrowTypeError: {},
IteratorPrototype: {
- constructor: false // suppress inherited '*'
+ constructor: false, // suppress inherited '*'
+ // See
https://bugzilla.mozilla.org/show_bug.cgi?id=1152550
+ // and
https://code.google.com/p/google-caja/issues/detail?id=1962
+ next: '*'
},
ArrayIteratorPrototype: {},
StringIteratorPrototype: {},
@@ -130,9 +133,10 @@
GeneratorFunction: {
prototype: {
prototype: {
- next: t,
- 'return': t,
- 'throw': t
+ next: *, // redundant, but IteratorPrototype.next isn't std
+ // and so might disappear in the future.
+ 'return': *,
+ 'throw': *
}
}
},