Adds a third option to the uri policy to give hosts the option to:
* use an alternate, pre-gotcha-mitigated script for a given url
* not perform any gotcha-mitigation for scripts like jquery which do not need it
(This improves the render time for scripts that use jquery by ~500ms on MBP OS 10.8.2 Chrome M24)
@5403
https://codereview.appspot.com/7381051/diff/1/src/com/google/caja/ses/startSES.js File src/com/google/caja/ses/startSES.js (right): https://codereview.appspot.com/7381051/diff/1/src/com/google/caja/ses/startSES.js#newcode652 src/com/google/caja/ses/startSES.js:652: function compileExpr(src, doesNotNeedMitigation, opt_sourcePosition) { I don't like this ...
https://codereview.appspot.com/7381051/diff/1/src/com/google/caja/ses/startSE...
File src/com/google/caja/ses/startSES.js (right):
https://codereview.appspot.com/7381051/diff/1/src/com/google/caja/ses/startSE...
src/com/google/caja/ses/startSES.js:652: function compileExpr(src,
doesNotNeedMitigation, opt_sourcePosition) {
I don't like this API. mitigateGotchas is already parameterized by an options
object, and is already conditioned on the presence of ses.mitigateGotchas. In
the absence of mitigation, this parameter here, if false, cannot be obeyed.
Also, phrasing boolean flags as a negative often leads to cognitive overhead,
such as the double-negative reasoning in the previous sentence.
I don't understand all the considerations that led to this API so I will not
suggest another one here. But please let's talk or chat before you submit this.
https://codereview.appspot.com/7381051/diff/1/src/com/google/caja/ses/startSE...
src/com/google/caja/ses/startSES.js:655: exprSrc = doesNotNeedMitigation ?
exprSrc : mitigateGotchas(exprSrc);
On the mitigateGotchas function's doccomment above it says "Passing no option
performs no mitigation.". However, I see that all actual calls to
mitigateGotchas, as here, in fact pass no options, so something is clearly
amiss.
Adds a third option to the uri policy to give hosts the option to: * ...
12 years, 10 months ago
(2013-05-01 11:04:26 UTC)
#4
Adds a third option to the uri policy to give hosts the option to:
* use an alternate, pre-gotcha-mitigated script for a given url
* not perform any gotcha-mitigation for scripts like jquery which do not need
it
(This improves the render time for scripts that use jquery by ~500ms on MBP OS
10.8.2 Chrome M24)
Adds a third option to the uri policy to give hosts the option to: * ...
12 years, 10 months ago
(2013-05-01 14:37:01 UTC)
#5
Adds a third option to the uri policy to give hosts the option to:
* use an alternate, pre-gotcha-mitigated script for a given url
* not perform any gotcha-mitigation for scripts like jquery which do not need
it
(This improves the render time for scripts that use jquery by ~500ms on MBP OS
10.8.2 Chrome M24)
Assuming fixing the boolean sense of "mitigate" and not calling it a mitigating proxy -- ...
12 years, 10 months ago
(2013-05-01 15:52:45 UTC)
#8
Assuming fixing the boolean sense of "mitigate" and not calling it a mitigating
proxy -- if we don't fix confusing naming, it will remain 4eva in our codebase
-- this CL is lgtm++.
Adds a third option to the uri policy to give hosts the option to: * ...
12 years, 10 months ago
(2013-05-01 17:53:08 UTC)
#10
Adds a third option to the uri policy to give hosts the option to:
* use an alternate, pre-gotcha-mitigated script for a given url
* not perform any gotcha-mitigation for scripts like jquery which do not need
it
(This improves the render time for scripts that use jquery by ~500ms on MBP OS
10.8.2 Chrome M24)
Adds a third option to the uri policy to give hosts the option to: * ...
12 years, 10 months ago
(2013-05-01 18:00:29 UTC)
#12
Adds a third option to the uri policy to give hosts the option to:
* use an alternate, pre-gotcha-mitigated script for a given url
* not perform any gotcha-mitigation for scripts like jquery which do not need
it
(This improves the render time for scripts that use jquery by ~500ms on MBP OS
10.8.2 Chrome M24)
Should note here what Jas and I chatted about. some mitigations must still be mandatory, ...
12 years, 10 months ago
(2013-05-05 08:44:29 UTC)
#14
Should note here what Jas and I chatted about. some mitigations must still be
mandatory, since Safari and some old Chromes still suffer from the Function
parsing bug https://code.google.com/p/google-caja/issues/detail?id=1616
This may not be the last time we find out that some mitigations must be
mandatory, so we should fix this to support future decisions about which
mitigations are mandatory on what browsers. This will be easier given Kevin's
suggestion that it should be up to SES clients which test failures they are
willing to tolerate, and how they wish to tolerate them.
Adds a third option to the uri policy to give hosts the option to: * ...
12 years, 10 months ago
(2013-05-06 10:52:28 UTC)
#15
Adds a third option to the uri policy to give hosts the option to:
* use an alternate, pre-gotcha-mitigated script for a given url
* not perform any gotcha-mitigation for scripts like jquery which do not need
it
(This improves the render time for scripts that use jquery by ~500ms on MBP OS
10.8.2 Chrome M24)
Adds a third option to the uri policy to give hosts the option to: * ...
12 years, 10 months ago
(2013-05-08 16:40:45 UTC)
#19
Adds a third option to the uri policy to give hosts the option to:
* use an alternate, pre-gotcha-mitigated script for a given url
* not perform any gotcha-mitigation for scripts like jquery which do not need
it
(This improves the render time for scripts that use jquery by ~500ms on MBP OS
10.8.2 Chrome M24)
Issue 7381051: Add option to not mitigateGotchas for scripts that do not need it.
(Closed)
Created 13 years ago by Jasvir Nagra
Modified 12 years, 10 months ago
Reviewers: ihab.awad, MarkM
Base URL: http://google-caja.googlecode.com/svn/trunk/
Comments: 42
