Release official npm package for caja JS

[rgbkrk]

There are a whole bunch of unmaintained versions of caja's javascript on npm and bower. We'd love to see releases go out with appropriate versions. :smile:

The big reason I want to have this available is for offline use in desktop (electron) applications.

/cc @jdfreder

[jdfreder]

Thanks for filing this @rgbkrk !

[D1plo1d]

+1. An npm package would be awesome!

[sqrtroot]

+1 :+1:

[strugee]

Any news here? Seems like this wouldn't take too much effort to do.

[erights]

There is progress at https://github.com/drses/frozen-realms-shim which was blocked by https://github.com/nodejs/node/issues/5679 . I know how to work around this bug but have not yet done so. This is waiting on me. Thanks for the reminder.

@kriskowal @caridy @jasvir @fudco @kpreid

[mmc41]

From the linked bug and the issues it refers to, it seems the blocked issue might have been fixed now.

[erights]

Not fixed yet.

From https://github.com/drses/ses/issues/6#issuecomment-266612257 the Node bug is not expected to be fixed until "Node@9 stable release (April) so Node@10 LTS release (October)".

At https://github.com/drses/ses/issues/6#issuecomment-266613254 I explain how to work around the Node bug in SES. However, I have not yet implemented this workaround.

[NNemec]

Any progress on this?

[rgbkrk]

The official guides appear to recommend only loading caja from //caja.appspot.com/caja.js. The reason I'd love to load caja locally is for including as part of an electron app which would allow the user to be offline sometimes.

[dgtlmoon]

@rgbkrk This has to be related to #2030 .. I'm lost too.

[dodtsair]

Would this enable someone to run third party javascript on the server in a secure fashion or would that be a different issue?

[rgbkrk]

That is totally separate @dodtsair. This package is for sanitizing HTML and JS for running on a frontend. I don't think caja is well suited for sanitizing code that would run in node itself. The reason we want an npm package for caja is so that we can bundle it as part of a web app.

[metaweta]

There are two parts to Caja. One is the virtual DOM, which is a front-end thing. The other is Secure ECMAScript (SES), which runs equally well on the back end and on the front end and can be used to run third-party javascript in a secure fashion.

On Tue, Jun 19, 2018 at 4:33 PM, Kyle Kelley notifications@github.com wrote:

That is totally separate @dodtsair https://github.com/dodtsair. This package is for sanitizing HTML and JS for running on a frontend. I don't think caja is well suited for sanitizing code that would run in node itself. The reason we want an npm package for caja is so that we can bundle it as part of a web app.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/google/caja/issues/1977#issuecomment-398567388, or mute the thread https://github.com/notifications/unsubscribe-auth/AA0V-N-96Xtel4LxfnD-j6f0sa5vp7TAks5t-Xw5gaJpZM4Fup2d .

-- Mike Stay - metaweta@gmail.com http://www.math.ucr.edu/~mike http://reperiendi.wordpress.com

[rgbkrk]

Nice!

[metaweta]

There was a bug that was preventing SES from working on Node, but it was recently closed. (https://github.com/nodejs/node/issues/5679)

Note that SES freezes built-ins, so not all libraries just work out of the box. Anything that assumes the existence of nodejs or browser APIs will probably fail. The require API would need taming. But pure javascript that isn't trying to do anything funny with mutating prototypes of built-in objects should work fine.

On Tue, Jun 19, 2018 at 5:18 PM, Kyle Kelley notifications@github.com wrote:

Nice!

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/google/caja/issues/1977#issuecomment-398575286, or mute the thread https://github.com/notifications/unsubscribe-auth/AA0V-EJgyCbU4e-1Iq6uRFpzE8cDBNcbks5t-YatgaJpZM4Fup2d .

-- Mike Stay - metaweta@gmail.com http://www.math.ucr.edu/~mike http://reperiendi.wordpress.com

[steve8708]

@metaweta is there a CLI for Caja, specifically the SES side of it?

I'm also very interested in using just SES to run third party javascript safely in my web application.

I do not need any of the dom stuff, I just want to pass the JS to my backend to run it through a compiler that strips anything unsafe, then return a safe JS string to run on the client.

If there is no official NPM package, I can do this with a child process if there is a CLI, but I can't seem to find any documentation on one despite finding a bin directory in this project

[metaweta]

On Thu, Feb 21, 2019 at 7:31 PM Steve Sewell notifications@github.com wrote:

@metaweta is there a CLI for Caja, specifically the SES side of it?

Not that I know of, but it should be fairly trivial to write one.

I'm also very interested in using just SES to run third party javascript safely in my web application.

I do not need any of the dom stuff, I just want to pass the JS to my backend to run it through a compiler that strips anything unsafe, then return a safe JS string to run on the client.

That's not how SES works; everything's client-side.

If there is no official NPM package, I can do this with a child process if there is a CLI, but I can't seem to find any documentation on one despite finding a bin directory in this project

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

-- Mike Stay - metaweta@gmail.com http://math.ucr.edu/~mike https://reperiendi.wordpress.com

[steve8708]

I see, thanks so much @metaweta

[erights]

Hi @rgbkrk @steve8708 @metaweta everyone,

The modern SES at https://github.com/Agoric/SES is in good shape, and runs on both browser and Node. Though https://github.com/Agoric/SES/issues?q=is%3Aopen+is%3Aissue+label%3A1.0-blocker shows some remaining bugs we want to close before declaring 1.0

Our npm package is up to date https://www.npmjs.com/package/ses

You can run the Node.js CLI and do something like:

const SES = require('ses'); s = SES.makeSESRootRealm() s.evaluate('1+a', { a: 2 }) // emits 3

A more ergonomic CLI should be easy, but we're not currently working on one. Feel free to file an "enhancement" issue requesting one.

Thanks!

[erights]

I filed the enhancement request at https://github.com/Agoric/SES/issues/62

[steve8708]

@erights fantastic!

Thank you for the info. I saw your project before and it had big warnings not to use in production, so I avoided in fear that I never know how long it will be until a project is out of that status (or ever!).

But it sounds that you are more confident in the status of your project than the impression I originally got so I will gladly give it a try!

[erights]

@steve8708 indeed I am. Please proceed. Feedback would be awesome, thanks!

[steve8708]

haha I'm glad you asked, I do have feedback! And some questions - I'll create an issue in your project to keep it out of this thread. And thanks!

On Fri, Feb 22, 2019 at 3:54 PM Mark S. Miller notifications@github.com wrote:

@steve8708 https://github.com/steve8708 indeed I am. Please proceed. Feedback would be awesome, thanks!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/google/caja/issues/1977#issuecomment-466588596, or mute the thread https://github.com/notifications/unsubscribe-auth/AAziA_IpHcyOmXvfUBfQ9dKrc8hz_bfTks5vQIM-gaJpZM4Fup2d .

[steve8708]

Threw my feedback and questions over here @erights, and thanks again!

[slikts]

Caja includes a HTML sanitizer, while SES is just for scripts, so a package for Caja would still be useful. It also shouldn't be low priority since packages are the standard way of using dependencies. Just providing a JS file was a long out of date practice even when this issue was opened.

[erights]

@slikts Caja is an open source project. Please contribute! Better, please fork and improve.

At https://github.com/Agoric/SES-shim we're making good progress on SES. But the rest of Caja, as you say, could be revived and turned into something valuable. This repository is not very active, so doing it yourself in a fork is probably better. Thanks.

[rgbkrk]

Caja is open source, we don't doubt that 😄 -- the reason this issue is filed is so we can have an official release on npm for us all to rely on.

[erights]

See npm package "ses"

On Thu, Apr 23, 2020, 8:18 AM Kyle Kelley notifications@github.com wrote:

Caja may be open source -- the reason this issue is filed is so we can have an official release on npm for us all to rely on.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/google/caja/issues/1977#issuecomment-618458239, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACC3TCIYRW7EO4YPG3XQPDROBL53ANCNFSM4BN2TWOQ .

[ghost]

@rgbkrk The Caja project is not under active development, though patches are still being accepted. The SES portion of Caja has been split off, is currently maintained by Agoric, and has an npm package. If someone would like to make use of the HTML sanitizer in node, they're going to have to make the package themselves and file the merge request for review.

[rgbkrk]

Thanks!