Do iframes with src still work in Caja?

67 views
Skip to first unread message

Tapan Anand

unread,
Mar 23, 2017, 11:58:17 AM3/23/17
to Google Caja Discuss
Does caja support the src attribute of iframe? I see the iframe tag whitelisted in the whitelist file (html4-elements-whitelist.json) but when I try to run the code that I have shared in this plunker: https://plnkr.co/edit/dQoxqpZBGTUNe0k1W8QM
The childPage is not fetched at all.

Here is my uriPolicy: 
var uriPolicy = {
    rewrite: function(uri) {
if(uri.hasDomain(window.location.hostname) && uri.hasPort(window.location.port))
return uri;
return null;
    },
    fetch: caja.policy.net.fetcher.USE_XHR, // fetch external scripts and css
mitigate: function() {
    // can be used to proxy known and mitigated external URLs
    return null;
}
};

Also, the generated code for the iframe tag is: 
<iframe data-caja-src="./childPage.html"></iframe>

Which seems to be suggesting that the src attribute is not supported. Am I right? Or am I doing something wrong?
Also, the only way I see to put content inside the iframe is to do a document.write inside that iframe. 
I just wanted to make sure that Caja does sanitize all content written into the iframe using document.write? As far as I tested it does, but just wanted a confirmation from the creators

Thank you

Kevin Reid

unread,
Mar 23, 2017, 12:00:20 PM3/23/17
to Google Caja Discuss
On Thu, Mar 23, 2017 at 1:49 AM, Tapan Anand <anandtap...@gmail.com> wrote:
Does caja support the src attribute of iframe? I see the iframe tag whitelisted in the whitelist file (html4-elements-whitelist.json) but when I try to run the code that I have shared in this plunker: https://plnkr.co/edit/dQoxqpZBGTUNe0k1W8QM
The childPage is not fetched at all.
... 
I just wanted to make sure that Caja does sanitize all content written into the iframe using document.write?

Yes, that is all correct. Caja does not implement loading iframe src, but the guest code can create an iframe and manipulate it using document.write or DOM operations, and it is sandboxed just as the outer document is.

Tapan Anand

unread,
Mar 23, 2017, 2:35:40 PM3/23/17
to Google Caja Discuss
Awesome! Thanks :)
Reply all
Reply to author
Forward
0 new messages