Tapan Anand
2017-03-23 08:49:10 UTC
Does caja support the src attribute of iframe? I see the iframe tag
whitelisted in the whitelist file (html4-elements-whitelist.json) but when
I try to run the code that I have shared in this
plunker: https://plnkr.co/edit/dQoxqpZBGTUNe0k1W8QM
The childPage is not fetched at all.
Here is my uriPolicy:
var uriPolicy = {
rewrite: function(uri) {
if(uri.hasDomain(window.location.hostname) &&
uri.hasPort(window.location.port))
return uri;
return null;
},
fetch: caja.policy.net.fetcher.USE_XHR, // fetch external scripts and
css
mitigate: function() {
// can be used to proxy known and mitigated external URLs
return null;
}
};
Also, the generated code for the iframe tag is:
<iframe data-caja-src="./childPage.html"></iframe>
Which seems to be suggesting that the src attribute is not supported. Am I
right? Or am I doing something wrong?
Also, the only way I see to put content inside the iframe is to do a
document.write inside that iframe.
I just wanted to make sure that Caja does sanitize all content written into
the iframe using document.write? As far as I tested it does, but just
wanted a confirmation from the creators
Thank you
whitelisted in the whitelist file (html4-elements-whitelist.json) but when
I try to run the code that I have shared in this
plunker: https://plnkr.co/edit/dQoxqpZBGTUNe0k1W8QM
The childPage is not fetched at all.
Here is my uriPolicy:
var uriPolicy = {
rewrite: function(uri) {
if(uri.hasDomain(window.location.hostname) &&
uri.hasPort(window.location.port))
return uri;
return null;
},
fetch: caja.policy.net.fetcher.USE_XHR, // fetch external scripts and
css
mitigate: function() {
// can be used to proxy known and mitigated external URLs
return null;
}
};
Also, the generated code for the iframe tag is:
<iframe data-caja-src="./childPage.html"></iframe>
Which seems to be suggesting that the src attribute is not supported. Am I
right? Or am I doing something wrong?
Also, the only way I see to put content inside the iframe is to do a
document.write inside that iframe.
I just wanted to make sure that Caja does sanitize all content written into
the iframe using document.write? As far as I tested it does, but just
wanted a confirmation from the creators
Thank you
--
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-discuss+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-discuss+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.