Script inclusion error

[Marc H]

This is a continuation of over here.

I am trying to include a script in a guest page, however the script does not run and I get an error:

Uncaught script error: Uncaught Error: not loaded in source: "http://localhost:8000/test.js" at line: -1
 ses-single-frame.js:34340:5

I am using a CORS-enabled server on localhost as shown here:

~$ curl -I localhost:8000/test.js
HTTP/1.0 200 OK
...
Access-Control-Allow-Origin: *

Finally here are the code snippets:

Host

<html>
    <head>
        <title>Caja host page</title>
        <script type="text/javascript" src="//caja.appspot.com/caja.js"></script>
    </head>

    <body>
        <div id="guest"></div>
        <script type="text/javascript">
            var uriPolicy = {fetcher: caja.policy.net.fetcher.USE_XHR, rewriter: caja.policy.net.rewriter.ALL};

            caja.initialize({
                cajaServer: 'https://caja.appspot.com/',
                debug: true
            });

            caja.load(document.getElementById("guest"), uriPolicy, function(frame) {
                frame.code("http://localhost:8000/caja-full-guest.html", "text/html")
                    .run();
            });
        </script>
    </body>
</html>

Guest

<html>
    <head>
        <script src="/test.js"></script>
    </head>

    <body>
        <h1 id="main">Doh!</h1>
    </body>
</html>

Test.js

document.getElementById("main").innerHTML = "Excellent!";

[Kevin Reid]

For what it's worth, I don't see anything obviously wrong with your code. I will have to see if I can reproduce the problem, but I do not expect to have time to investigate today.

--

---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-discuss+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Marc H]

Great thanks kevin, if it helps I can upload my files so it would be easier to reproduce?

[Kevin Reid]

Got it. I gave you misspelled code, sorry. Try:

var uriPolicy = {

  fetch: caja.policy.net.fetcher.USE_XHR, 

  rewrite: caja.policy.net.rewriter.ALL

};

Note 'fetch' and 'rewrite' instead of 'fetcher' and 'rewriter' in the property names.

(Your script will also not work because it tries to access the #main element before that part of the HTML has been parsed, but that is the same as a normal browser environment and the error message will be actually useful for that.)

To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-discuss+unsubscribe...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Marc H]

Thanks so much the snippet now works! Now I am trying to integrate this with my project, which uses a framework called "A-Frame" for games and I have run into another problem.

When I include the framework script, (I believe) it tries to add a function to the Math prototype that the library needs, and I get an error in the console like this:

Uncaught script error: Uncaught TypeError: can't define property "sign": Math is not extensible in source: "https://cdnjs.cloudflare.com/ajax/libs/aframe/0.6.0/aframe-master.js" at line: -1

 Here is the code snippet of the guest page:

<html>
    <head>
        <script src="https://cdnjs.cloudflare.com/ajax/libs/aframe/0.6.0/aframe-master.js"></script>
    </head>
</html>

Is there any way around this?

PS. When reproducing this there is a delay before the error shows, and the page first goes unresponsive

To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-discuss+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kevin Reid]

On Fri, Feb 9, 2018 at 12:22 PM, Marc H <zappy...@gmail.com> wrote:

Thanks so much the snippet now works! Now I am trying to integrate this with my project, which uses a framework called "A-Frame" for games and I have run into another problem.

When I include the framework script, (I believe) it tries to add a function to the Math prototype that the library needs, and I get an error in the console like this:

Uncaught script error: Uncaught TypeError: can't define property "sign": Math is not extensible in source: "https://cdnjs.cloudflare.com/ajax/libs/aframe/0.6.0/aframe-master.js" at line: -1

Modifying the objects provided by JavaScript is prohibited in the Caja/SES environment.

PS. When reproducing this there is a delay before the error shows, and the page first goes unresponsive

Probably mostly time to parse the code. Not much to be done other than load less code, unfortunately.

[Marc H]

Is there any workaround, or way to give the guest script access to these objects?

[Kevin Reid]

On Sun, Feb 11, 2018 at 2:47 AM, Marc H <zappy...@gmail.com> wrote:

Is there any workaround, or way to give the guest script access to these objects?

No. Prohibiting such modifications is a central part of Caja's security strategy.

[Mike Stay]

For the specific case of Math, you could shadow the real Math object
with an object that merely inherits from the real one. However, this
approach won't work for modifying prototypes of the built-in classes;
for example, modifying String.prototype can't be made to work this
way.

```
((Math) => {
// do stuff that would modify Math
// or use the modified Math
})(Object.create(Math))
```

It requires doing a source transform on the set of libraries you want
to use, but at least it's possible.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "Google Caja Discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to google-caja-dis...@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.



--

Mike Stay - meta...@gmail.com
http://www.math.ucr.edu/~mike
http://reperiendi.wordpress.com