Script inclusion error

53 views
Skip to first unread message

Marc H

unread,
Feb 7, 2018, 1:11:34 PM2/7/18
to Google Caja Discuss
This is a continuation of over here.

I am trying to include a script in a guest page, however the script does not run and I get an error:

Uncaught script error: Uncaught Error: not loaded in source: "http://localhost:8000/test.js" at line: -1
 ses
-single-frame.js:34340:5

I am using a CORS-enabled server on localhost as shown here:
~$ curl -I localhost:8000/test.js
HTTP
/1.0 200 OK
...
Access-Control-Allow-Origin: *

Finally here are the code snippets:

Host
<html>
   
<head>
       
<title>Caja host page</title>
       
<script type="text/javascript" src="//caja.appspot.com/caja.js"></script>
   
</head>

   
<body>
       
<div id="guest"></div>
       
<script type="text/javascript">
           
var uriPolicy = {fetcher: caja.policy.net.fetcher.USE_XHR, rewriter: caja.policy.net.rewriter.ALL};

            caja
.initialize({
                cajaServer
: 'https://caja.appspot.com/',
                debug
: true
           
});

            caja
.load(document.getElementById("guest"), uriPolicy, function(frame) {
                frame
.code("http://localhost:8000/caja-full-guest.html", "text/html")
                   
.run();
           
});
       
</script>
   
</body>
</html>

Guest
<html>
   
<head>
       
<script src="/test.js"></script>
   
</head>

   
<body>
       
<h1 id="main">Doh!</h1>
   
</body>
</html>

Test.js
document.getElementById("main").innerHTML = "Excellent!";

Kevin Reid

unread,
Feb 7, 2018, 1:51:59 PM2/7/18
to Google Caja Discuss
For what it's worth, I don't see anything obviously wrong with your code. I will have to see if I can reproduce the problem, but I do not expect to have time to investigate today.

--

---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-discuss+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Marc H

unread,
Feb 8, 2018, 2:09:18 PM2/8/18
to Google Caja Discuss
Great thanks kevin, if it helps I can upload my files so it would be easier to reproduce?

Kevin Reid

unread,
Feb 8, 2018, 4:17:35 PM2/8/18
to Google Caja Discuss
Got it. I gave you misspelled code, sorry. Try:

var uriPolicy = {
  fetch: caja.policy.net.fetcher.USE_XHR, 
  rewrite: caja.policy.net.rewriter.ALL
};

Note 'fetch' and 'rewrite' instead of 'fetcher' and 'rewriter' in the property names.

(Your script will also not work because it tries to access the #main element before that part of the HTML has been parsed, but that is the same as a normal browser environment and the error message will be actually useful for that.)

To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-discuss+unsubscribe...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Marc H

unread,
Feb 9, 2018, 3:22:29 PM2/9/18
to Google Caja Discuss
Thanks so much the snippet now works! Now I am trying to integrate this with my project, which uses a framework called "A-Frame" for games and I have run into another problem.

When I include the framework script, (I believe) it tries to add a function to the Math prototype that the library needs, and I get an error in the console like this:

Uncaught script error: Uncaught TypeError: can't define property "sign": Math is not extensible in source: "https://cdnjs.cloudflare.com/ajax/libs/aframe/0.6.0/aframe-master.js" at line: -1
 Here is the code snippet of the guest page:

<html>
   
<head>
       
<script src="https://cdnjs.cloudflare.com/ajax/libs/aframe/0.6.0/aframe-master.js"></script>
   
</head>
</html>

Is there any way around this?

PS. When reproducing this there is a delay before the error shows, and the page first goes unresponsive
To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-discuss+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Kevin Reid

unread,
Feb 9, 2018, 3:33:27 PM2/9/18
to Google Caja Discuss
On Fri, Feb 9, 2018 at 12:22 PM, Marc H <zappy...@gmail.com> wrote:
Thanks so much the snippet now works! Now I am trying to integrate this with my project, which uses a framework called "A-Frame" for games and I have run into another problem.

When I include the framework script, (I believe) it tries to add a function to the Math prototype that the library needs, and I get an error in the console like this:

Uncaught script error: Uncaught TypeError: can't define property "sign": Math is not extensible in source: "https://cdnjs.cloudflare.com/ajax/libs/aframe/0.6.0/aframe-master.js" at line: -1
Modifying the objects provided by JavaScript is prohibited in the Caja/SES environment.

PS. When reproducing this there is a delay before the error shows, and the page first goes unresponsive

Probably mostly time to parse the code. Not much to be done other than load less code, unfortunately.

Marc H

unread,
Feb 11, 2018, 5:47:56 AM2/11/18
to Google Caja Discuss
Is there any workaround, or way to give the guest script access to these objects?

Kevin Reid

unread,
Feb 12, 2018, 1:35:28 PM2/12/18
to Google Caja Discuss
On Sun, Feb 11, 2018 at 2:47 AM, Marc H <zappy...@gmail.com> wrote:
Is there any workaround, or way to give the guest script access to these objects?

No. Prohibiting such modifications is a central part of Caja's security strategy.

Mike Stay

unread,
Feb 12, 2018, 3:20:07 PM2/12/18
to Google Caja Discuss
For the specific case of Math, you could shadow the real Math object
with an object that merely inherits from the real one. However, this
approach won't work for modifying prototypes of the built-in classes;
for example, modifying String.prototype can't be made to work this
way.

```
((Math) => {
// do stuff that would modify Math
// or use the modified Math
})(Object.create(Math))
```

It requires doing a source transform on the set of libraries you want
to use, but at least it's possible.
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "Google Caja Discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to google-caja-dis...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



--
Mike Stay - meta...@gmail.com
http://www.math.ucr.edu/~mike
http://reperiendi.wordpress.com
Reply all
Reply to author
Forward
0 new messages