Skip to content
This repository has been archived by the owner on Feb 2, 2021. It is now read-only.

SecurityAdvisory20180402

Kevin Reid edited this page Apr 2, 2018 · 1 revision

Background

Caja contains an optional feature, in the deprecated ES5/3 mode, to allow embedding Flash content. To do this, Caja has to specify options to prohibit the Flash content from being able to interact with the host page, bypassing the sandbox. A means was found to override this option.

Impact and Advice

Given that ES5/3 mode is already deprecated, and the state of Flash on the web, we have decided to resolve this by removing all remaining support for Flash in Caja.

Users should upgrade to Caja v6013 or later, or if this is not immediately feasible, remove the flash option from their Caja configuration if it is present. If your application is not explicitly using the deprecated ES5/3 mode, this should not have any functional effect.

Clone this wiki locally