What revision of the cajoler exhibits the problem? On what browser and OS? FF and Chrome

Does caja take care of JS DoS conditions? I could create infinite loop with following script when cajoled on http://caja.appspot.com. My browser consumption of CPU upped 50% due to this and I had to close the tab (works on latest FF and Chrome)

What steps will reproduce the problem? Cajole the following code on appspot

<html> <head> Click to begin indefinite alerts. <script> function ding() {

        setInterval(function() {alert("Try escaping me...")},50) 
    }
</script>

</head> <body onload="ding();">

</body> </html>

What is the expected output? What do you see instead? Caja should ideally throttle continuous alerts like FF and Chrome do natively. This doesn't create a DoS condition when run on these browsers natively through URL

Please provide any additional information below.

Caja does not try to prevent excess CPU consumption by guest code. If the DoS you are concerned about is via alert/confirm, you can provide attenuated versions of these modal functions instead so guest code can call them only a limited number times (or a limited number of times per minute) - here's a rough example:

// Returns a throttled whitelisted function - here it allows only "n" calls to "f" function throttle(caja, frame, n, f) { var i = n; return caja.tame(caja.markFunction(function() { if (i > 0) { i--; return f(Array.slice.call(arguments, 0)); } })); }

caja.load(div, uriPolicy, function(frame) { frame.code(...) .api({ alert: throttle(alert), confirm: throttle(confirm) }) .run(); })