We should review old Caja security advisories, issues, wiki, etc #175
Comments
|
For the bugs of earlier platforms that we believe we no longer need to worry about on modern platforms, the old Caja/SES (usually in repairES5.js) has tests for those cases, to ensure they stay fixed. We need to make sure there are test262 tests for each of these, translating these old Caja/SES tests to test262 as needed. Examples include both the advisory above and https://github.com/google/caja/wiki/SecurityAdvisory201308013 |
|
We can safely ignore anything which was only about ES5/3 mode. This was a full translator from ES5 to ES3, which no longer relevant at all. |
|
https://github.com/google/caja/wiki/SecurityAdvisory20130410 is an example of a vulnerability we have already fixed in the Realms shim, but only after independently rediscovering the issue. |
|
Related to shim, closing. |
The advisories: https://github.com/google/caja/wiki/SecurityAdvisories
For each of these, we should classify if they are relevant to modern Realms, Frozen Realms, or SES. Of the relevant ones, we should document whether there is anything there we should still worry about, and why or why not.
Especially interesting relevant advisory: https://github.com/google/caja/wiki/SecurityAdvisory20150313
Mostly, this advisory has to do with ancient browser bugs we no longer need to worry about. But we need to decide what the minimal versions are of all platforms that we do support, and ideally refuse to run on earlier platforms.
The text was updated successfully, but these errors were encountered: