Google Caja Discuss

1–30 of 10391

0 selected

Mike Power, … Mark S. Miller4

1/14/20

Caja performance recommendations

Well since the broad conclusion is not caja, and there are a great many ses discussions regarding

unread,

Caja performance recommendations

Well since the broad conclusion is not caja, and there are a great many ses discussions regarding

1/14/20

6/6/19

Caja Security Advisory 2019-06-06

## Background When guest HTML contains an element that is not permitted by Caja's whitelist, it

unread,

Caja Security Advisory 2019-06-06

## Background When guest HTML contains an element that is not permitted by Caja's whitelist, it

6/6/19

Mark Miller, Kevin Reid3

1/16/19

Public disclosure of responsibly disclosed SES bugs

That's a good point. I missed that. Yes, if the mandatory parse rejects template strings, I don

unread,

Public disclosure of responsibly disclosed SES bugs

That's a good point. I missed that. Yes, if the mandatory parse rejects template strings, I don

1/16/19

Yehonathan Sharvit, … Mark Miller16

1/13/19

sanitized eval with Caja

Hi Yehonathan, I have gone through the public issues at https://github.com/Agoric/SES/issues , filed

unread,

sanitized eval with Caja

Hi Yehonathan, I have gone through the public issues at https://github.com/Agoric/SES/issues , filed

1/13/19

Mike Stay, Mark Miller6

1/9/19

Status of other sources of SES?

Neither Agoric nor Salesforce are likely to invest effort backporting fixes into original-SES. I

unread,

Status of other sources of SES?

Neither Agoric nor Salesforce are likely to invest effort backporting fixes into original-SES. I

1/9/19

12/3/18

POLA Would Have Prevented the Event-Stream Incident

The npm / event-stream incident is the perfect teaching moment for POLA (Principle of Least Authority

unread,

POLA Would Have Prevented the Event-Stream Incident

The npm / event-stream incident is the perfect teaching moment for POLA (Principle of Least Authority

12/3/18

10/30/18

Strawman: defending from deep recursion and long loops

Hi, I have a simple browser test set up at: https://michaelfig.github.io/caja/exhaust.html I don'

unread,

Strawman: defending from deep recursion and long loops

Hi, I have a simple browser test set up at: https://michaelfig.github.io/caja/exhaust.html I don'

10/30/18

Michael FIG, … Mark Miller7

10/16/18

Defending from long-running or infinite loops

On Mon, Oct 15, 2018 at 7:15 PM Michael FIG <kekito.fig@gmail.com> wrote: I think I will also

unread,

Defending from long-running or infinite loops

On Mon, Oct 15, 2018 at 7:15 PM Michael FIG <kekito.fig@gmail.com> wrote: I think I will also

10/16/18

4/2/18

Caja Security Advisory 2018-04-02

## Background Caja contains an optional feature, in the deprecated ES5/3 mode, to allow embedding

unread,

Caja Security Advisory 2018-04-02

## Background Caja contains an optional feature, in the deprecated ES5/3 mode, to allow embedding

4/2/18

Marc H, … Mike Stay9

2/12/18

Script inclusion error

For the specific case of Math, you could shadow the real Math object with an object that merely

unread,

Script inclusion error

For the specific case of Math, you could shadow the real Math object with an object that merely

2/12/18

Marc H, Kevin Reid2

2/9/18

Dynamic guest page embedding

On Fri, Feb 9, 2018 at 12:32 PM, Marc H <zappythepro@gmail.com> wrote: I am trying to use Caja

unread,

Dynamic guest page embedding

On Fri, Feb 9, 2018 at 12:32 PM, Marc H <zappythepro@gmail.com> wrote: I am trying to use Caja

2/9/18

11/14/17

Caja Security Advisory 2017-11-14

## Background Browsers have recently added new language features which allow executing code from a

unread,

Caja Security Advisory 2017-11-14

## Background Browsers have recently added new language features which allow executing code from a

11/14/17

11/4/17

On these lists, sometimes we cross-post when introducing a topic but then announce that further

unread,

On these lists, sometimes we cross-post when introducing a topic but then announce that further

11/4/17

My Routes, Kevin Reid2

11/3/17

Feature request: add 'allow-geolocation' to IFRAME sandbox mode in HtmlService

On Wed, Nov 1, 2017 at 8:20 AM, My Routes <myroutes3@gmail.com> wrote: In order for a cross-

unread,

Feature request: add 'allow-geolocation' to IFRAME sandbox mode in HtmlService

On Wed, Nov 1, 2017 at 8:20 AM, My Routes <myroutes3@gmail.com> wrote: In order for a cross-

11/3/17

jwi...@lifelink.com, … Mike Stay4

8/23/17

Syntax error when following example code

In particular, there's this snippet: ------------------- Running guest JavaScript from content

unread,

Syntax error when following example code

In particular, there's this snippet: ------------------- Running guest JavaScript from content

8/23/17

Doug Koellmer, … Mike Stay13

5/25/17

As far as destroying an interval goes, you can replace the existing setInterval function before

unread,

As far as destroying an interval goes, you can replace the existing setInterval function before

5/25/17

5/3/17

CFP: OCAP 2017, Object-Capability Languages, Systems, and Applications

http://conf.researchr.org/track/ocap-2017/ocap-2017#Call-for-Presentations Call for Presentations The

unread,

CFP: OCAP 2017, Object-Capability Languages, Systems, and Applications

http://conf.researchr.org/track/ocap-2017/ocap-2017#Call-for-Presentations Call for Presentations The

5/3/17

o x, Kevin Reid3

5/2/17

load caja from iframes and load the caja lib ones in window.parent.caja

thank you Kevin Reid! that did the the trick :) On Tuesday, May 2, 2017 at 11:50:02 PM UTC+7, Kevin

unread,

load caja from iframes and load the caja lib ones in window.parent.caja

thank you Kevin Reid! that did the the trick :) On Tuesday, May 2, 2017 at 11:50:02 PM UTC+7, Kevin

5/2/17

o x, Kevin Reid6

5/2/17

how to unescape the content of guest before run?

ok thank you On Tuesday, May 2, 2017 at 11:17:54 PM UTC+7, Kevin Reid wrote: You'll have to

unread,

how to unescape the content of guest before run?

ok thank you On Tuesday, May 2, 2017 at 11:17:54 PM UTC+7, Kevin Reid wrote: You'll have to

5/2/17

felbus, Kevin Reid3

4/19/17

allow base64 data uri

ok thanks, ill take a look.. On Monday, 17 April 2017 17:46:01 UTC+1, Kevin Reid wrote: On Mon, Apr

unread,

allow base64 data uri

ok thanks, ill take a look.. On Monday, 17 April 2017 17:46:01 UTC+1, Kevin Reid wrote: On Mon, Apr

4/19/17

felbus, Kevin Reid3

4/15/17

Allow full display and interaction with Html Emails

yep, that worked, thanks On Friday, 14 April 2017 18:05:58 UTC+1, Kevin Reid wrote: On Fri, Apr 14,

unread,

Allow full display and interaction with Html Emails

yep, that worked, thanks On Friday, 14 April 2017 18:05:58 UTC+1, Kevin Reid wrote: On Fri, Apr 14,

4/15/17

Vinod Patel, Kevin Reid2

4/13/17

Add third party scripts to guest code.

On Thu, Apr 13, 2017 at 4:39 AM, Vinod Patel <vinodpatel2006@gmail.com> wrote: is it possible

unread,

Add third party scripts to guest code.

On Thu, Apr 13, 2017 at 4:39 AM, Vinod Patel <vinodpatel2006@gmail.com> wrote: is it possible

4/13/17

Tapan Anand, Kevin Reid3

3/23/17

Do iframes with src still work in Caja?

Awesome! Thanks :) On Thursday, 23 March 2017 21:30:20 UTC+5:30, Kevin Reid wrote: On Thu, Mar 23,

unread,

Do iframes with src still work in Caja?

Awesome! Thanks :) On Thursday, 23 March 2017 21:30:20 UTC+5:30, Kevin Reid wrote: On Thu, Mar 23,

3/23/17

Mike Stay, … David Bruant3

3/17/17

Does ECMAScript2015's "import" keyword provide ambient authority to the filesystem?

Le 17/03/2017 à 03:57, 'Mark S. Miller' via Google Caja Discuss a écrit : [+lots] The current

unread,

Does ECMAScript2015's "import" keyword provide ambient authority to the filesystem?

Le 17/03/2017 à 03:57, 'Mark S. Miller' via Google Caja Discuss a écrit : [+lots] The current

3/17/17

10/6/16

Example code for SES?

Accidentally hit send. On Thu, Oct 6, 2016 at 2:53 PM, Mike Stay <metaweta@gmail.com> wrote:

unread,

Example code for SES?

Accidentally hit send. On Thu, Oct 6, 2016 at 2:53 PM, Mike Stay <metaweta@gmail.com> wrote:

10/6/16

6/1/16

Caja security advisory 2016-05-31

## Background For applications which used the Google API tamings (not enabled by default), the taming

unread,

Caja security advisory 2016-05-31

## Background For applications which used the Google API tamings (not enabled by default), the taming

6/1/16

re...@codereview-hr.appspotmail.com, fel...@gmail.com2

5/31/16

Update Selenium to 2.53.0. (issue 300240043 by kpreid@google.com)

lgtm https://codereview.appspot.com/300240043/

unread,

Update Selenium to 2.53.0. (issue 300240043 by kpreid@google.com)

lgtm https://codereview.appspot.com/300240043/

5/31/16

re...@codereview-hr.appspotmail.com, eri...@gmail.com2

5/27/16

Fix ses.funcLike protection against non-identifier names. (issue 301810043 by kpreid@google.com)

LGTM https://codereview.appspot.com/301810043/

unread,

Fix ses.funcLike protection against non-identifier names. (issue 301810043 by kpreid@google.com)

LGTM https://codereview.appspot.com/301810043/

5/27/16

Lukas Bombach, Kevin Reid4

5/26/16

Can Caja still be used in production?

On Tue, May 24, 2016 at 3:48 AM, 'Lukas Bombach' via Google Caja Discuss <google-caja-

unread,

Can Caja still be used in production?

On Tue, May 24, 2016 at 3:48 AM, 'Lukas Bombach' via Google Caja Discuss <google-caja-

5/26/16

5/2/16

Re: [Caja] How to pass HTML/JS data from DB to caja

On Sat, Apr 30, 2016 at 2:44 PM, eqSan <mehran.hzh@gmail.com> wrote: I'm trying to call

unread,

Re: [Caja] How to pass HTML/JS data from DB to caja

On Sat, Apr 30, 2016 at 2:44 PM, eqSan <mehran.hzh@gmail.com> wrote: I'm trying to call

5/2/16

Search

Clear search

Close search

Google apps

Main menu