Documentation for hosting caja server

[Marchhill]

I am trying to make guest pages able to include external scripts, however this does not work using the "https://caja.appspot.com", however this does not allow external scripts. How can I run my own caja server, is there any documentation?

[kpreid]

Yes, the documentation never got written for how to do this properly and it's a bit of a mess overall.

If the external scripts come from a CORS-enabled server, then you don't need any "Caja server" at all, just the JavaScript files:

We use ant for our build system, so make sure you have ant installed and then run it in the source tree. All of the JS files will be compiled to:
ant-lib/com/google/caja/plugin/*.js

Note that this includes files you don't need as well as ones you do. The only ones you need are caja.js and ses-single-frame.js, unless you're making use of standalone components like the HTML sanitizer or SES, or using the Google APIs taming.

Then in your configuration you specify the URI policy as [EDIT: previous values were misspelled]

var uriPolicy = {
  fetch: caja.policy.net.fetcher.USE_XHR, 
  rewrite: caja.policy.net.rewriter.ALL
};

If at all possible, I recommend this mode of operation.

Otherwise, if you have a Java servlet environment you can load com.google.caja.service.ProxyServlet, or (least pleasantly) reimplement the proxy protocol provided by it on your own server platform.

[Marchhill]

Thank you for your very quick reply, I have set up my local server with CORS enabled and have changed the URI policy, however I still receive the same error message.

Uncaught script error: Uncaught Error: not loaded in source: "http://localhost:8000/test.js" at line: -1
ses-single-frame.js:34340:5

[kpreid]

For debugging, let's take this to https://groups.google.com/group/google-caja-discuss instead of the issue tracker. When you post, please include the script you're using to configure Caja and load the code.

[dgtlmoon]

@kpreid Hmm this kind of information should go way higher up in the README.md , I spent hours trying to compile the code, and eventually found a docker image which runs very nicely - but I still can't figure out how to use the docker image which exposes an API ( tmlbl/caja ) so after all this, you're saying you don't actually need that caja core server, and you can use some JS instead? I'm totally lost

If I curl "http://172.18.0.4:8887/"

{"messages":[{"level":6,"name":"FATAL_ERROR","type":"MISSING_ARGUMENT","message":"Missing argument URL"}]}

I've no idea where to start to find the documentation to even send it what it is that it's expecting to be sent.

In my case, I wish to sanitise some HTML(from an email) that will get rendered in with some existing HTML

[dgtlmoon]

Also related #1987