google-caja - Google Code

Code license:	Apache License 2.0
Labels:	Google, Javascript, Security, Object-capabilities, Caja, ABAC, POLA, Sanitizing, Mashups, Prototype

Show all Featured downloads:
Caja_External_Security_Review_v2.pdf caja-spec-2008-06-07.pdf caja-transformation-rules-2008-06-06.pdf

Show all Featured wiki pages:
GettingStarted

Links:	Object-capabilities on Wikipedia Caja on Yahoo's App Platform Yahoo's Caja support pages Tim Oren explains Caja Other object-capability languages Possible Attack Vectors Review candidate changes
Blogs:	Applying object-capabilities to the browser and web security Discussions of object-capability language issues General object-capability discussions OpenSocial API Blog
Feeds:	Project feeds
Groups:	Caja Discussion Group

People details

Project owners:
	mikesamuel, erights, benlaurie, ihab.awad, metaweta, jasvir, b...@links.org, adriennefelt, adam.sah, marius.schilder
Project committers:
	elsigh, chrohrs, dcoker, nobigdealstyle, johnfargo, mdynin, dirk.balfanz, danfuzz1, lahosken, brunob, pascallouisperez, daniel.e.rabin, llamaguy, gwt.team.dpeterson, goo...@speechcode.com, costa.jason, dglibi...@google.com, zestyping, davidsarah.hopwood, collin.jackson, daw+goo...@taverner.cs.berkeley.edu, tyler.close, felix8a, miraglia, kpr...@mac.com, maoziqing, ptwobrussell

Caja (pronounced "KA-ha") allows you to put untrusted third-party HTML and JavaScript inline in your page and still be secure.

Caja

gives stricter control over what the code can do:

no redirects to phishing pages: the window object the untrusted code has is a fake one created by the containing page
no malware: all requests to URLs are proxied
no XSS: dynamic HTML sanitization

allows the untrusted code more power than is safe to give to code currently in iframes. Here are some possibilities:

floating frames ("info windows")
frames don't have to be rectangular
frames can communicate without the current awkward protocols

a reader could broadcast geographic information about the current article; a maps gadget jumps to the location, while a news gadget gets local stories and a weather gadget pulls up the weather
similarly for financial info or entertainment info
an extensible syntax highlighter could have plugins that can mark up text but not leak the contents to another website
can be a bit channel (can only send information) or a code channel (can send functions)
hosting page can control who talks to whom

Cajoled Gadget	Uncajoled Gadget

Information for

Gadget authors

Just write your gadgets in Javascript/DHTML and they'll probably work right away. Try it!
Caja on YAP, the Yahoo Application Platform
Article on YDN discussing the benefits and gotchas of developing apps with Caja

Containers looking to host gadgets on their pages

The computer industry has only one significant success enabling documents to carry active content safely: scripts in web pages. Normal users regularly browse untrusted sites with Javascript turned on. Modulo browser bugs and phishing, they mostly remain safe. But even though web apps build on this success, they fail to provide its power. Web apps generally remove scripts from third party content, reducing content to passive data. Examples include webmail, groups, blogs, chat, docs and spreadsheets, wikis, and more.

Were scripts in an object-capability language, web apps could provide active content safely, simply, and flexibly. Surprisingly, this is possible within existing web standards. Caja represents our discovery that a subset of Javascript is an object-capability language.

ECMAScript-262 Third Edition (ES3) Specification

Talks

Cajoled Gadget

Uncajoled Gadget