Caja Security Advisory 2018-04-02

Skip to first unread message

Kevin Reid

Apr 2, 2018, 2:59:46 PM4/2/18
to Google Caja Discuss
## Background

Caja contains an optional feature, in the deprecated ES5/3 mode, to allow embedding Flash content. To do this, Caja has to specify options to prohibit the Flash content from being able to interact with the host page, bypassing the sandbox. A means was found to override this option.

## Impact and Advice

Given that ES5/3 mode is already deprecated, and the state of Flash on the web, we have decided to resolve this by removing all remaining support for Flash in Caja.

Users should upgrade to Caja v6013 or later, or if this is not immediately feasible, remove the `flash` option from their Caja configuration if it is present. If your application is not explicitly using the deprecated ES5/3 mode, this should not have any functional effect.
Reply all
Reply to author
0 new messages