Does anyone know if I can configure Google Caja, so it let some exact libraries to work and not being sanitized?
I have my own CAJA server, and application based on NodeJS. I'm passing to Google CAJA users code, which will be mostly related to charts and graphs, but all libraries functions (like d3js, chart.js) are blocked by CAJA.
All libraries are go through Caja and connect to user's document without errors, but if users request any feature of library (For example d3.select("body").append("svg") ) then it is showing errors, like this * is not a function. Does anyone know any method?
PS I know about URI Policy, but it seems that it just controls all stuff, that is going out of same origin domain names, whenever eeven if library is passed through uriPolicy, it is still being checked by Caja.
You can return url to a pre-mitigated/pre-cajoled/trusted version of the library from the uriPolicy.mitigate function. You can just check the libraries url and if it matches you return the premitigated URL else you return null. For example: