Caja Security Advisory 2018-04-02
78 views
Skip to first unread message
Kevin Reid
Apr 2, 2018, 2:59:46 PM4/2/18
to Google Caja Discuss
## Background
Caja contains an optional feature, in the deprecated ES5/3 mode, to allow embedding Flash content. To do this, Caja has to specify options to prohibit the Flash content from being able to interact with the host page, bypassing the sandbox. A means was found to override this option.
## Impact and Advice
Given that ES5/3 mode is already deprecated, and the state of Flash on the web, we have decided to resolve this by removing all remaining support for Flash in Caja.
Users should upgrade to Caja v6013 https://github.com/google/caja/releases/tag/v6013 or later, or if this is not immediately feasible, remove the `flash` option from their Caja configuration if it is present. If your application is not explicitly using the deprecated ES5/3 mode, this should not have any functional effect.
Caja contains an optional feature, in the deprecated ES5/3 mode, to allow embedding Flash content. To do this, Caja has to specify options to prohibit the Flash content from being able to interact with the host page, bypassing the sandbox. A means was found to override this option.
## Impact and Advice
Given that ES5/3 mode is already deprecated, and the state of Flash on the web, we have decided to resolve this by removing all remaining support for Flash in Caja.
Users should upgrade to Caja v6013 https://github.com/google/caja/releases/tag/v6013 or later, or if this is not immediately feasible, remove the `flash` option from their Caja configuration if it is present. If your application is not explicitly using the deprecated ES5/3 mode, this should not have any functional effect.
Reply all
Reply to author
Forward
0 new messages