Skip to content
This repository has been archived by the owner on Feb 2, 2021. It is now read-only.

Release official npm package for caja JS #1977

Open
rgbkrk opened this issue Aug 19, 2015 · 30 comments
Open

Release official npm package for caja JS #1977

rgbkrk opened this issue Aug 19, 2015 · 30 comments

Comments

@rgbkrk
Copy link

rgbkrk commented Aug 19, 2015

There are a whole bunch of unmaintained versions of caja's javascript on npm and bower. We'd love to see releases go out with appropriate versions. 😄

The big reason I want to have this available is for offline use in desktop (electron) applications.

/cc @jdfreder

@jdfreder
Copy link

Thanks for filing this @rgbkrk !

@D1plo1d
Copy link

D1plo1d commented Oct 7, 2015

+1. An npm package would be awesome!

@sqrtroot
Copy link

+1 👍

@strugee
Copy link

strugee commented Aug 11, 2016

Any news here? Seems like this wouldn't take too much effort to do.

@erights
Copy link
Contributor

erights commented Aug 15, 2016

There is progress at https://github.com/drses/frozen-realms-shim which was blocked by nodejs/node#5679 . I know how to work around this bug but have not yet done so. This is waiting on me. Thanks for the reminder.

@kriskowal @caridy @jasvir @FUDCo @kpreid

@mmc41
Copy link

mmc41 commented Dec 13, 2016

From the linked bug and the issues it refers to, it seems the blocked issue might have been fixed now.

@erights
Copy link
Contributor

erights commented Dec 13, 2016

Not fixed yet.

From drses/ses#6 (comment) the Node bug is not expected to be fixed until "Node@9 stable release (April) so Node@10 LTS release (October)".

At drses/ses#6 (comment) I explain how to work around the Node bug in SES. However, I have not yet implemented this workaround.

@NNemec
Copy link

NNemec commented Feb 11, 2017

Any progress on this?

@rgbkrk
Copy link
Author

rgbkrk commented Mar 15, 2018

The official guides appear to recommend only loading caja from //caja.appspot.com/caja.js. The reason I'd love to load caja locally is for including as part of an electron app which would allow the user to be offline sometimes.

@dgtlmoon
Copy link

dgtlmoon commented Apr 2, 2018

@rgbkrk This has to be related to #2030 .. I'm lost too.

@dodtsair
Copy link

Would this enable someone to run third party javascript on the server in a secure fashion or would that be a different issue?

@rgbkrk
Copy link
Author

rgbkrk commented Jun 19, 2018

That is totally separate @dodtsair. This package is for sanitizing HTML and JS for running on a frontend. I don't think caja is well suited for sanitizing code that would run in node itself. The reason we want an npm package for caja is so that we can bundle it as part of a web app.

@metaweta
Copy link
Contributor

metaweta commented Jun 19, 2018 via email

@rgbkrk
Copy link
Author

rgbkrk commented Jun 19, 2018

Nice!

@metaweta
Copy link
Contributor

metaweta commented Jun 19, 2018 via email

@steve8708
Copy link

@metaweta is there a CLI for Caja, specifically the SES side of it?

I'm also very interested in using just SES to run third party javascript safely in my web application.

I do not need any of the dom stuff, I just want to pass the JS to my backend to run it through a compiler that strips anything unsafe, then return a safe JS string to run on the client.

If there is no official NPM package, I can do this with a child process if there is a CLI, but I can't seem to find any documentation on one despite finding a bin directory in this project

@metaweta
Copy link
Contributor

metaweta commented Feb 22, 2019 via email

@steve8708
Copy link

I see, thanks so much @metaweta

@erights
Copy link
Contributor

erights commented Feb 22, 2019

Hi @rgbkrk @steve8708 @metaweta everyone,

The modern SES at https://github.com/Agoric/SES is in good shape, and runs on both browser and Node. Though https://github.com/Agoric/SES/issues?q=is%3Aopen+is%3Aissue+label%3A1.0-blocker shows some remaining bugs we want to close before declaring 1.0

Our npm package is up to date https://www.npmjs.com/package/ses

You can run the Node.js CLI and do something like:

const SES = require('ses');
s = SES.makeSESRootRealm()
s.evaluate('1+a', { a: 2 }) // emits 3

A more ergonomic CLI should be easy, but we're not currently working on one. Feel free to file an "enhancement" issue requesting one.

Thanks!

@erights
Copy link
Contributor

erights commented Feb 22, 2019

I filed the enhancement request at https://github.com/Agoric/SES/issues/62

@steve8708
Copy link

@erights fantastic!

Thank you for the info. I saw your project before and it had big warnings not to use in production, so I avoided in fear that I never know how long it will be until a project is out of that status (or ever!).

But it sounds that you are more confident in the status of your project than the impression I originally got so I will gladly give it a try!

@erights
Copy link
Contributor

erights commented Feb 22, 2019

@steve8708 indeed I am. Please proceed. Feedback would be awesome, thanks!

@steve8708
Copy link

steve8708 commented Feb 22, 2019 via email

@steve8708
Copy link

Threw my feedback and questions over here @erights, and thanks again!

@slikts
Copy link

slikts commented Apr 1, 2020

Caja includes a HTML sanitizer, while SES is just for scripts, so a package for Caja would still be useful. It also shouldn't be low priority since packages are the standard way of using dependencies. Just providing a JS file was a long out of date practice even when this issue was opened.

@erights
Copy link
Contributor

erights commented Apr 2, 2020

@slikts Caja is an open source project. Please contribute! Better, please fork and improve.

At https://github.com/Agoric/SES-shim we're making good progress on SES. But the rest of Caja, as you say, could be revived and turned into something valuable. This repository is not very active, so doing it yourself in a fork is probably better. Thanks.

@rgbkrk
Copy link
Author

rgbkrk commented Apr 23, 2020

Caja is open source, we don't doubt that 😄 -- the reason this issue is filed is so we can have an official release on npm for us all to rely on.

@erights
Copy link
Contributor

erights commented Apr 23, 2020 via email

@ghost
Copy link

ghost commented Apr 23, 2020

@rgbkrk The Caja project is not under active development, though patches are still being accepted. The SES portion of Caja has been split off, is currently maintained by Agoric, and has an npm package. If someone would like to make use of the HTML sanitizer in node, they're going to have to make the package themselves and file the merge request for review.

@rgbkrk
Copy link
Author

rgbkrk commented Apr 23, 2020

Thanks!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests