Run caja locally and use eval in the guest

[pablo...@gmail.com]

Hi,
 
In my app I want to use caja to display untrusted user code inside a div.
The code need to load images and fonts dynamically and to include js using dynamic script tags.
All assets will be hosted on the same domain as the host page.

Are there instructions how to host caja on my server?
What javascript files are needed and where to get the latest version?
Do I need to use es5Mode:true?
What are the supported browsers in serverless mode?

Is it possible to use eval in the guest?

Thanks

[Kevin Reid]

On Sun, Jun 15, 2014 at 12:41 PM, <pablo...@gmail.com> wrote:

In my app I want to use caja to display untrusted user code inside a div.
The code need to load images and fonts dynamically and to include js using dynamic script tags.
All assets will be hosted on the same domain as the host page.

Are there instructions how to host caja on my server?

What javascript files are needed and where to get the latest version?

Unfortunately, we haven't actually got those instructions. This is why I didn't get around to replying sooner: I wanted to make some better documentation to give you (but I haven't found the time to do that this week).

The situation was different with older versions which had heavy server components; it made more sense to take the whole lump and host that, and integration was generally nontrivial.

Briefly, here's what you need now for basic functionality:

1. run the build command 'ant playground'. This will do more than you need but get the files in a convenient spot.

2. Take the following files from the directory ant-war/, where XXXX is the current version number:

caja.js

caja-minified.js

XXXX/ses-single-frame.js

XXXX/ses-single-frame.opt.js

XXXX/utility-frame.js

XXXX/utility-frame.opt.js

 

Put those on your server anywhere you like, and the URL to that directory as the "cajaServer" argument to the caja.initialize() call.

(Whether the minified "opt" files or the original ones are used is determined by the "debug" argument.)

Do I need to use es5Mode:true?

No, but we are deprecating and removing the alternatives, so specifying it now will ensure you don't rely on the behavior of no-longer-supported modes.

(If you get the code from svn trunk, you will get an ES5-mode-only version. If you get branches/es53/ instead, you get the one with ES5/3 mode and the server-side functions, which we do not recommend you use.)

 

What are the supported browsers in serverless mode?

Anything which supports ECMAScript 5 sufficiently correctly, which is at least current versions of Chrome, Firefox, and Safari, and Internet Explorer 11. (That's off the top of my head and might not be exactly right.)

 

Is it possible to use eval in the guest?

Yes, but depending on what form you use, eval'd code might not see the environment exactly as it would under the non-Caja case.

[pablo...@gmail.com]

Thank you for your answer.
I'm trying to use the iSpring pro player (evaluation) in the guest page.
This is the guest:
https://drive.google.com/file/d/0BxtO-pPpZS0FRU9XbHdrb09FcE0/

I'm getting the following errors in FF 30 console:
The character encoding of the HTML document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the page must be declared in the document or in the transfer protocol. host.html
TypeError: mutating the [[Prototype]] of an object will cause your code to run very slowly; instead create the object with the correct initial [[Prototype]] value using Object.create ses-single-frame.js:3603
SES initialization ses-single-frame.js:969
"Repaired: Non-deletable RegExp statics are a global communication channel" ses-single-frame.js:948
"Repaired: Date.prototype is a global communication channel" ses-single-frame.js:948
"Repaired: WeakMap.prototype is a global communication channel" ses-single-frame.js:948
"Not repaired: Strict getter must not box this, but does" ses-single-frame.js:948
"Not repaired: [[ThrowTypeError]] is not frozen" ses-single-frame.js:948
"Not repaired: [[ThrowTypeError]] has normal function properties" ses-single-frame.js:948
"Max Severity: Safe spec violation(1)." ses-single-frame.js:948
"Repaired: WeakMap throws when given some keys" ses-single-frame.js:948
"438 Apparently fine" ses-single-frame.js:948
"123 Deleted" ses-single-frame.js:948
"1 Frozen harmless" ses-single-frame.js:948
"Max Severity: Safe spec violation(1)." ses-single-frame.js:948
"initSES succeeded." ses-single-frame.js:948
"Uncaught script error: Error: not loaded in source: "http://localhost:8000/presentation/data/player.js?B29519F1" at line: 1" ses-single-frame.js:27119
"Uncaught script error: TypeError: PresentationPlayer is undefined in source: "http://localhost:8000/presentation/index.html" at line: 1" ses-single-frame.js:27119

This is the host page:
<html>
  <head>
    <title>Caja host page</title>
    <script type="text/javascript"
            src="//caja.appspot.com/caja.js">
    </script>
  </head>

  <body>
    <h1>Caja host page</h1>
    <div id="guest"></div>
    <script type="text/javascript">
      var uriPolicy = {
        rewrite: function(uri) {
          return uri;
        }
      };
      caja.initialize({
        cajaServer: 'https://caja.appspot.com/',
        es5Mode:true,
        debug: true
      });
      caja.load(document.getElementById('guest'), uriPolicy, function(frame) {
        frame.code('/presentation/index.html',
                   'text/html')
             .run();
      });
    </script>
  </body>
</html>


Am I doing something wrong or is the guest use something that is not supported by caja?

Thanks

[Kevin Reid]

On Sun, Jun 22, 2014 at 6:40 AM, <pablo...@gmail.com> wrote:

I'm getting the following errors in FF 30 console:
The character encoding of the HTML document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the page must be declared in the document or in the transfer protocol. host.html
TypeError: mutating the [[Prototype]] of an object will cause your code to run very slowly; instead create the object with the correct initial [[Prototype]] value using Object.create ses-single-frame.js:3603

SES initialization ses-single-frame.js:969
"Repaired: Non-deletable RegExp statics are a global communication channel" ses-single-frame.js:948
"Repaired: Date.prototype is a global communication channel" ses-single-frame.js:948
"Repaired: WeakMap.prototype is a global communication channel" ses-single-frame.js:948
"Not repaired: Strict getter must not box this, but does" ses-single-frame.js:948
"Not repaired: [[ThrowTypeError]] is not frozen" ses-single-frame.js:948
"Not repaired: [[ThrowTypeError]] has normal function properties" ses-single-frame.js:948
"Max Severity: Safe spec violation(1)." ses-single-frame.js:948
"Repaired: WeakMap throws when given some keys" ses-single-frame.js:948
"438 Apparently fine" ses-single-frame.js:948
"123 Deleted" ses-single-frame.js:948
"1 Frozen harmless" ses-single-frame.js:948
"Max Severity: Safe spec violation(1)." ses-single-frame.js:948
"initSES succeeded." ses-single-frame.js:948

All of this is fine.

 

"Uncaught script error: Error: not loaded in source: "http://localhost:8000/presentation/data/player.js?B29519F1" at line: 1" ses-single-frame.js:27119

This is the unfortunately-generic fetch-failed error.

The problem is that your URI policy provides a rewrite function but not a fetch function. This means that Caja cannot execute external scripts.

You can use caja.policy.net.ALL instead of your uriPolicy object, or you can add "fetch: caja.policy.net.fetcher.USE_XHR" to it; the latter will skip using the Caja proxy server, which is fine as long as the scripts you want to load are same-domain (or CORS-enabled) as they are in this example.

 

"Uncaught script error: TypeError: PresentationPlayer is undefined in source: "http://localhost:8000/presentation/index.html" at line: 1" ses-single-frame.js:27119

This is the consequence of the previous error.

 

[pablo platt]

I've added "fetch: caja.policy.net.fetcher.USE_XHR" to the uriPolicy

Now it's able to get player.js but I'm getting "TypeError: ca is undefined in source".

Complete log:

The character encoding of the HTML document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the page must be declared in the document or in the transfer protocol. host.html

TypeError: mutating the [[Prototype]] of an object will cause your code to run very slowly; instead create the object with the correct initial [[Prototype]] value using Object.create ses-single-frame.js:2870
SES initialization ses-single-frame.js:221
"Repaired: Non-deletable RegExp statics are a global communication channel" ses-single-frame.js:200
"Repaired: Date.prototype is a global communication channel" ses-single-frame.js:200
"Repaired: WeakMap.prototype is a global communication channel" ses-single-frame.js:200
"Not repaired: Strict getter must not box this, but does" ses-single-frame.js:200
"Not repaired: [[ThrowTypeError]] is not frozen" ses-single-frame.js:200
"Not repaired: [[ThrowTypeError]] has normal function properties" ses-single-frame.js:200
"Max Severity: Safe spec violation(1)." ses-single-frame.js:200
"Repaired: WeakMap throws when given some keys" ses-single-frame.js:200
"612 Apparently fine" ses-single-frame.js:200
"151 Deleted" ses-single-frame.js:200
"1 Frozen harmless" ses-single-frame.js:200
"Max Severity: Safe spec violation(1)." ses-single-frame.js:200
"initSES succeeded." ses-single-frame.js:200
"Uncaught script error: TypeError: ca is undefined in source: "http://localhost:8000/presentation/data/player.js?B29519F1" at line: 1" ses-single-frame.js:26253
"Uncaught script error: TypeError: PresentationPlayer is undefined in source: "http://localhost:8000/presentation/index.html" at line: 1" ses-single-frame.js:26253

--

---
You received this message because you are subscribed to a topic in the Google Groups "Google Caja Discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-caja-discuss/C-YAQF-IcTY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-caja-dis...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kevin Reid]

On Thu, Jul 3, 2014 at 1:42 AM, pablo platt <pablo...@gmail.com> wrote:

I've added "fetch: caja.policy.net.fetcher.USE_XHR" to the uriPolicy

Now it's able to get player.js but I'm getting "TypeError: ca is undefined in source".

[...] 

"Uncaught script error: TypeError: ca is undefined in source: "http://localhost:8000/presentation/data/player.js?B29519F1" at line: 1" ses-single-frame.js:26253
"Uncaught script error: TypeError: PresentationPlayer is undefined in source: "http://localhost:8000/presentation/index.html" at line: 1" ses-single-frame.js:26253

This comes down to a problem in the actual JS you're trying to execute. You will have to debug it further or provide us with a runnable example to help with.

[pablo platt]

The code I'm trying to run in the sandbox:
https://drive.google.com/file/d/0BxtO-pPpZS0FRU9XbHdrb09FcE0/

When you run index.html without caja, you can see a presentation.

Clicking on the slide move to the next transition.

--

[Mike Stay]

Caja is currently maintained by one guy (Kevin) in his spare time; I
may have time to help out eventually, but not for a few months.
Neither of us have time to dig into the code you supplied. If you
create a small code snippet that reproduces the error and file a
ticket, that will help us keep track of it. Also, it looks like
iSpring pro loads flash, which currently isn't supported in the new
ES5 mode and is only partially supported in the old mode.

> You received this message because you are subscribed to the Google Groups
> "Google Caja Discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to google-caja-dis...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
Mike Stay - meta...@gmail.com
http://www.cs.auckland.ac.nz/~mike
http://reperiendi.wordpress.com

[pablo platt]

The iSpring plugin can output Flash or HTML5.

The test above is HTML5 without Flash.

I don't think I'll be able to create a simple test case but I'll use a javascript beautifier on player.js and try to see where the error is.

I've tested with a similar freeware plugin that give me an error too.
http://www.slidego.com/home/download.php

[Mark Miller]

On Mon, Jul 7, 2014 at 2:49 PM, Mike Stay <meta...@gmail.com> wrote:

Caja is currently maintained by one guy (Kevin) in his spare time; I
may have time to help out eventually, but not for a few months.
Neither of us have time to dig into the code you supplied.  If you
create a small code snippet that reproduces the error and file a
ticket, that will help us keep track of it.  Also, it looks like
iSpring pro loads flash, which currently isn't supported in the new
ES5 mode and is only partially supported in the old mode.

Just for the record, I am also helping maintain SES, the JavaScript-securing portion of Caja, out of my 20% time as well. 

My knowledge of the browser specific portions of Caja have gone stale. Since the current issue is browser-based rather than a SES issue, my attention wouldn't help. But I just wanted to clarify in light of Mike's note that SES has yet more support.

--
Text by me above is hereby placed in the public domain

  Cheers,
  --MarkM