Fixes several problems in our support for safe debugging.

Fixes several problems in our support for safe debugging.

Fixes https://code.google.com/p/google-caja/issues/detail?id=1516
The UnsafeError object was exposed to privileged code as a property on
ses. Since the ses is accessible only to privileged code, this is not
a vulnerability, but it does violate a stated invariant. Caught by
trying to verify SES using S5 
http://blog.brownplt.org/2011/11/11/s5-javascript-semantics.html

Fixes https://code.google.com/p/google-caja/issues/detail?id=1963
Rewires the Error inheritance hierarchy to stay compatible with ES6
while staying safe.

Fixes https://code.google.com/p/google-caja/issues/detail?id=1964
On non-v8, debug.js detects of Error.prototype.stack is an accessor
property. If so, grab its getter for its own internal use. This now
provides proper encapsulation of stack information on FF40
Nightly in addition to the encapsulation we have long had on v8.

Fixes https://code.google.com/p/google-caja/issues/detail?id=1965
When detecting a url into the rawgit service that matches a common
pattern, useHTMLLogger renders this as a link that takes you to the
corresponding page on github with the correct line highlighted.

[MarkM, 2015-04-12 00:54:12]

Fixes several problems in our support for safe debugging.

Fixes https://code.google.com/p/google-caja/issues/detail?id=1516
The UnsafeError object was exposed to privileged code as a property on
ses. Since the ses is accessible only to privileged code, this is not
a vulnerability, but it does violate a stated invariant. Caught by
trying to verify SES using S5 
http://blog.brownplt.org/2011/11/11/s5-javascript-semantics.html

Fixes https://code.google.com/p/google-caja/issues/detail?id=1963
Rewires the Error inheritance hierarchy to stay compatible with ES6
while staying safe.

Fixes https://code.google.com/p/google-caja/issues/detail?id=1964
On non-v8, debug.js detects of Error.prototype.stack is an accessor
property. If so, grab its getter for its own internal use. This now
provides proper encapsulation of stack information on FF40
Nightly in addition to the encapsulation we have long had on v8.

Fixes https://code.google.com/p/google-caja/issues/detail?id=1965
When detecting a url into the rawgit service that matches a common
pattern, useHTMLLogger renders this as a link that takes you to the
corresponding page on github with the correct line highlighted.

[MarkM, 2015-04-15 06:32:37]

Fixes several problems in our support for safe debugging.

Fixes https://code.google.com/p/google-caja/issues/detail?id=1516
The UnsafeError object was exposed to privileged code as a property on
ses. Since the ses is accessible only to privileged code, this is not
a vulnerability, but it does violate a stated invariant. Caught by
trying to verify SES using S5 
http://blog.brownplt.org/2011/11/11/s5-javascript-semantics.html

Fixes https://code.google.com/p/google-caja/issues/detail?id=1963
Rewires the Error inheritance hierarchy to stay compatible with ES6
while staying safe.

Fixes https://code.google.com/p/google-caja/issues/detail?id=1964
On non-v8, debug.js detects of Error.prototype.stack is an accessor
property. If so, grab its getter for its own internal use. This now
provides proper encapsulation of stack information on FF40
Nightly in addition to the encapsulation we have long had on v8.

Fixes https://code.google.com/p/google-caja/issues/detail?id=1965
When detecting a url into the rawgit service that matches a common
pattern, useHTMLLogger renders this as a link that takes you to the
corresponding page on github with the correct line highlighted.

[MarkM, 2015-04-15 06:39:24]

New snapshot

[kpreid_google, 2015-04-15 22:45:39]

https://codereview.appspot.com/226970043/diff/40001/src/com/google/caja/ses/d...
File src/com/google/caja/ses/debug.js (right):

https://codereview.appspot.com/226970043/diff/40001/src/com/google/caja/ses/d...
src/com/google/caja/ses/debug.js:71: Object.setPrototypeOf(err, FakeError);
The above code as well as existing code appears to be part of SES security.

Yet, file comments say this file is optional. Are the comments wrong?

https://codereview.appspot.com/226970043/diff/40001/src/com/google/caja/ses/d...
src/com/google/caja/ses/debug.js:241: if (!stack || typeof stack !== 'string') {
return void 0; }
For audit-style-readability, I'd rather see this written as:

if (typeof stack !== 'string' || stack === '')

https://codereview.appspot.com/226970043/diff/40001/src/com/google/caja/ses/d...
src/com/google/caja/ses/debug.js:340: typeof (result =
primStackGetter.call(err)) === 'string') {
This can return '' where it is otherwise careful to return undefined.
Deliberate?

[MarkM, 2015-04-16 20:20:41]

Fixes several problems in our support for safe debugging.

Fixes https://code.google.com/p/google-caja/issues/detail?id=1516
The UnsafeError object was exposed to privileged code as a property on
ses. Since the ses is accessible only to privileged code, this is not
a vulnerability, but it does violate a stated invariant. Caught by
trying to verify SES using S5 
http://blog.brownplt.org/2011/11/11/s5-javascript-semantics.html

Fixes https://code.google.com/p/google-caja/issues/detail?id=1963
Rewires the Error inheritance hierarchy to stay compatible with ES6
while staying safe.

Fixes https://code.google.com/p/google-caja/issues/detail?id=1964
On non-v8, debug.js detects of Error.prototype.stack is an accessor
property. If so, grab its getter for its own internal use. This now
provides proper encapsulation of stack information on FF40
Nightly in addition to the encapsulation we have long had on v8.

Fixes https://code.google.com/p/google-caja/issues/detail?id=1965
When detecting a url into the rawgit service that matches a common
pattern, useHTMLLogger renders this as a link that takes you to the
corresponding page on github with the correct line highlighted.

[MarkM, 2015-04-16 20:22:14]

https://codereview.appspot.com/226970043/diff/40001/src/com/google/caja/ses/d...
File src/com/google/caja/ses/debug.js (right):

https://codereview.appspot.com/226970043/diff/40001/src/com/google/caja/ses/d...
src/com/google/caja/ses/debug.js:71: Object.setPrototypeOf(err, FakeError);
On 2015/04/15 22:45:39, kpreid_google wrote:
> The above code as well as existing code appears to be part of SES security.
> 
> Yet, file comments say this file is optional. Are the comments wrong?

The comments are correct but obscure. Added clarifying comments. PTAL.

https://codereview.appspot.com/226970043/diff/40001/src/com/google/caja/ses/d...
src/com/google/caja/ses/debug.js:241: if (!stack || typeof stack !== 'string') {
return void 0; }
On 2015/04/15 22:45:39, kpreid_google wrote:
> For audit-style-readability, I'd rather see this written as:
> 
> if (typeof stack !== 'string' || stack === '')

Done.

https://codereview.appspot.com/226970043/diff/40001/src/com/google/caja/ses/d...
src/com/google/caja/ses/debug.js:340: typeof (result =
primStackGetter.call(err)) === 'string') {
On 2015/04/15 22:45:39, kpreid_google wrote:
> This can return '' where it is otherwise careful to return undefined.
> Deliberate?

Done.

https://codereview.appspot.com/226970043/diff/60001/src/com/google/caja/ses/d...
File src/com/google/caja/ses/debug.js (right):

https://codereview.appspot.com/226970043/diff/60001/src/com/google/caja/ses/d...
src/com/google/caja/ses/debug.js:28: * <p>TODO(erights): Explore alternatives to
using "instanceof Error"
Note the added TODO.

[kpreid_google, 2015-04-20 17:48:50]

LGTM

https://codereview.appspot.com/226970043/diff/60001/src/com/google/caja/ses/d...
File src/com/google/caja/ses/debug.js (right):

https://codereview.appspot.com/226970043/diff/60001/src/com/google/caja/ses/d...
src/com/google/caja/ses/debug.js:86: [EvalError, RangeError, ReferenceError,
SyntaxError, TypeError, URIError
What happens if this list is out of sync with the whitelist?

If it's silent and bad, add a warning to the whitelist.

Or, perhaps we could derive this list from the whitelist, ensuring it's in sync?

[MarkM, 2015-04-27 23:46:54]

Fixes several problems in our support for safe debugging.

Fixes https://code.google.com/p/google-caja/issues/detail?id=1516
The UnsafeError object was exposed to privileged code as a property on
ses. Since the ses is accessible only to privileged code, this is not
a vulnerability, but it does violate a stated invariant. Caught by
trying to verify SES using S5 
http://blog.brownplt.org/2011/11/11/s5-javascript-semantics.html

Fixes https://code.google.com/p/google-caja/issues/detail?id=1963
Rewires the Error inheritance hierarchy to stay compatible with ES6
while staying safe.

Fixes https://code.google.com/p/google-caja/issues/detail?id=1964
On non-v8, debug.js detects of Error.prototype.stack is an accessor
property. If so, grab its getter for its own internal use. This now
provides proper encapsulation of stack information on FF40
Nightly in addition to the encapsulation we have long had on v8.

Fixes https://code.google.com/p/google-caja/issues/detail?id=1965
When detecting a url into the rawgit service that matches a common
pattern, useHTMLLogger renders this as a link that takes you to the
corresponding page on github with the correct line highlighted.

[MarkM, 2015-04-27 23:49:20]

Hi Kevin, I'm done. So either this is all your's now, or you can walk me through
submitting this to github.

https://codereview.appspot.com/226970043/diff/60001/src/com/google/caja/ses/d...
File src/com/google/caja/ses/debug.js (right):

https://codereview.appspot.com/226970043/diff/60001/src/com/google/caja/ses/d...
src/com/google/caja/ses/debug.js:86: [EvalError, RangeError, ReferenceError,
SyntaxError, TypeError, URIError
On 2015/04/20 17:48:50, kpreid_google wrote:
> What happens if this list is out of sync with the whitelist?

Because of our new __proto__ test, it should fail safe, which is why
https://code.google.com/p/google-caja/issues/detail?id=1963 could be filed as a
public bug. As an experiment just now, removing URIError from the list above
caused SES to fail safe on Chrome 44 Canary with:

Max Severity: Not isolated(5) is not SES-safe.
[-] 1 unexpected intrinsic. Not isolated(5) is not SES-safe.
      URIError.__proto__

But going the other way -- leaving URIError in the above list but deleting it
from whitelist.js -- did not provoke a diagnostic. Instead, URIError is rewired
by not whitelisted, which is still safe.

> If it's silent and bad, add a warning to the whitelist.
> 
> Or, perhaps we could derive this list from the whitelist, ensuring it's in
sync?

I just added comments to debug.js and whitelist.js documenting that these lists
need to be kept in sync.

Done.

[MarkM, 2015-04-28 00:01:50]

On 2015/04/27 23:49:20, MarkM wrote:
> Hi Kevin, I'm done. So either this is all your's now, or you can walk me
through
> submitting this to github.
> 
>
https://codereview.appspot.com/226970043/diff/60001/src/com/google/caja/ses/d...
> File src/com/google/caja/ses/debug.js (right):
> 
>
https://codereview.appspot.com/226970043/diff/60001/src/com/google/caja/ses/d...
> src/com/google/caja/ses/debug.js:86: [EvalError, RangeError, ReferenceError,
> SyntaxError, TypeError, URIError
> On 2015/04/20 17:48:50, kpreid_google wrote:
> > What happens if this list is out of sync with the whitelist?
> 
> Because of our new __proto__ test, it should fail safe, which is why
> https://code.google.com/p/google-caja/issues/detail?id=1963 could be filed as
a
> public bug. As an experiment just now, removing URIError from the list above
> caused SES to fail safe on Chrome 44 Canary with:
> 
> Max Severity: Not isolated(5) is not SES-safe.
> [-] 1 unexpected intrinsic. Not isolated(5) is not SES-safe.
>       URIError.__proto__
> 
> But going the other way -- leaving URIError in the above list but deleting it
> from whitelist.js -- did not provoke a diagnostic. Instead, URIError is
rewired
> by not whitelisted, which is still safe.
> 
> > If it's silent and bad, add a warning to the whitelist.
> > 
> > Or, perhaps we could derive this list from the whitelist, ensuring it's in
> sync?
> 
> I just added comments to debug.js and whitelist.js documenting that these
lists
> need to be kept in sync.
> 
> Done.

[MarkM, 2015-04-28 00:03:53]

Hold on. "ant runtests" doesn't run yet. Investigating.

[MarkM, 2015-04-28 00:17:32]

Fixes several problems in our support for safe debugging.

Fixes https://code.google.com/p/google-caja/issues/detail?id=1516
The UnsafeError object was exposed to privileged code as a property on
ses. Since the ses is accessible only to privileged code, this is not
a vulnerability, but it does violate a stated invariant. Caught by
trying to verify SES using S5 
http://blog.brownplt.org/2011/11/11/s5-javascript-semantics.html

Fixes https://code.google.com/p/google-caja/issues/detail?id=1963
Rewires the Error inheritance hierarchy to stay compatible with ES6
while staying safe.

Fixes https://code.google.com/p/google-caja/issues/detail?id=1964
On non-v8, debug.js detects of Error.prototype.stack is an accessor
property. If so, grab its getter for its own internal use. This now
provides proper encapsulation of stack information on FF40
Nightly in addition to the encapsulation we have long had on v8.

Fixes https://code.google.com/p/google-caja/issues/detail?id=1965
When detecting a url into the rawgit service that matches a common
pattern, useHTMLLogger renders this as a link that takes you to the
corresponding page on github with the correct line highlighted.

[MarkM, 2015-04-28 00:21:42]

With snapshot 6, "ant runtests" now runs, but its remaining problems are:


FAIL: testScriptOnerror: TypeError: undefined is not a function
" TypeError: undefined is not a function
Stack trace:
assertObjectEquals@http://localhost:65182/ant-testlib/com/google/caja/plugin/jsUnitCore.js:307:21
tamingNullAdvice@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1:1457:110
applyFeralFunction@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1:1439:40
applyFeralFunction@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1:1472:126
tamePureFunction/t@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1:1514:46
assertObjectEquals@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1
line 113 > eval:4:12
scriptEventTest@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1
line 584 > eval:38:1
testScriptOnerror@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1
line 584 > eval:61:1
applyTameFunction@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1:1473:74
untameCajaFunction/f@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1:1536:48
testScriptOnerror@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1
line 113 > eval:4:12
jsunitRun@http://localhost:65182/ant-testlib/com/google/caja/plugin/jsunit.js:271:7
@http://localhost:65182/ant-testlib/com/google/caja/plugin/default-test-driver.js:76:24
run/</<@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1:1562:343
 jsunit.js:106:4
jsunit.fail() jsunit.js:106
jsunitRun() jsunit.js:274
<anonymous> default-test-driver.js:76
run/</<() ses-single-frame.opt.js:1562


and


"FAIL: testScriptOnload: TypeError: undefined is not a function
" TypeError: undefined is not a function
Stack trace:
assertObjectEquals@http://localhost:65182/ant-testlib/com/google/caja/plugin/jsUnitCore.js:307:21
tamingNullAdvice@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1:1457:110
applyFeralFunction@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1:1439:40
applyFeralFunction@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1:1472:126
tamePureFunction/t@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1:1514:46
assertObjectEquals@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1
line 113 > eval:4:12
scriptEventTest@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1
line 584 > eval:38:1
testScriptOnload@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1
line 584 > eval:57:1
applyTameFunction@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1:1473:74
untameCajaFunction/f@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1:1536:48
testScriptOnload@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1
line 113 > eval:4:12
jsunitRun@http://localhost:65182/ant-testlib/com/google/caja/plugin/jsunit.js:271:7
@http://localhost:65182/ant-testlib/com/google/caja/plugin/default-test-driver.js:76:24
run/</<@http://localhost:65182/caja/5722m/ses-single-frame.opt.js?debug=1:1562:343
 jsunit.js:106:4
jsunit.fail() jsunit.js:106
jsunitRun() jsunit.js:274
<anonymous> default-test-driver.js:76
run/</<() ses-single-frame.opt.js:1562


Are these the missing ".next" coverage?

[MarkM, 2015-05-19 04:50:20]

Fixes several problems in our support for safe debugging.

Fixes https://code.google.com/p/google-caja/issues/detail?id=1516
The UnsafeError object was exposed to privileged code as a property on
ses. Since the ses is accessible only to privileged code, this is not
a vulnerability, but it does violate a stated invariant. Caught by
trying to verify SES using S5 
http://blog.brownplt.org/2011/11/11/s5-javascript-semantics.html

Fixes https://code.google.com/p/google-caja/issues/detail?id=1963
Rewires the Error inheritance hierarchy to stay compatible with ES6
while staying safe.

Fixes https://code.google.com/p/google-caja/issues/detail?id=1964
On non-v8, debug.js detects of Error.prototype.stack is an accessor
property. If so, grab its getter for its own internal use. This now
provides proper encapsulation of stack information on FF40
Nightly in addition to the encapsulation we have long had on v8.

Fixes https://code.google.com/p/google-caja/issues/detail?id=1965
When detecting a url into the rawgit service that matches a common
pattern, useHTMLLogger renders this as a link that takes you to the
corresponding page on github with the correct line highlighted.

[MarkM, 2015-05-19 04:53:38]

Manually merged in latest changes from caja on github, even though this is still
a myvn client based on the stale state in code.google.