| Sign in

A source-to-source translator for securing Javascript-based web content

Project Home		Downloads		Wiki		Issues		Source

Search

End-user's Guide

Integration Guide

Developer's Guide

Design Decisions

Releases

CajaVersions

Community

External articles about caja
Containers that use caja
Mailing lists
Ideas and feature requests

RefactoringToolFeatureRequests

Glossary of common terms
All wiki pages

Updated Jul 17, 2009 by metaweta

CajaOverview

Overview of the Caja system

Introduction
Design considerations

Threat model
Desired features

Resulting languages

Cajita
Valija

Tools

Introduction

Caja is a system, written in Java and built using Ant, for enabling the safe inclusion of untrusted third-party web content (HTML, CSS and Javascript code) into a host page. Each chunk of web content is rewritten, or "cajoled", into a "module", consisting of some static HTML and some Javascript. Each module is isolated from every other module except by means of object references granted to the modules by the host page.

Design considerations

Threat model

Defensive code problem

Mutually suspicious gadgets can cooperate

Offensive code problem

A gadget can't interfere with the container
Gadgets can't interfere with other gadgets

Desired features

Legacy Tools problem

Existing tools can be easily adapted to support the language

Legacy Code problem

Existing code can be easily adapted to work with the language

Support Virtualization

Resulting languages

Cajita

Removes from javascript "sharp knives"

eval
with
this
variable deletion
Complicated coercing rules surrounding == and !=

Adds to javascript

cajita.freeze
immutable objects

Interoperates well with existing browser api

A decent language to program in!

Threats & features:

Defensive: frozen objects can't be modified by others, even within the same environment.

Cajita is rewritten by the cajoler into code with no free variables, so there's no way for cajita code to get access statically to references other than by explicit grant
Runtime checks prevent dynamic access

Tools: Cajita is a subset of JavaScript, so all the tools work unchanged.
No support for legacy code: The language excises many of the parts of Javascript, so most old code won't work.
Virtualization: we can emulate all the excised parts, effectively having several separate Javascript environments. These environments can only interact via references that they get from the host page.

Valija

Adds back into Cajita "toy knives": they behave like the Javascript knives, but only within a Cajita module. Valija code cannot interfere with code in other modules.

For example, one can write

Object.prototype.x = 1;

in Valija, and all objects in that module will appear to have an x property. But objects in other modules will be unaffected.

Threats & features:

Not defensive: Valija emulates "monkey patching", which appears to change the object, so objects within the module can effectively violate each others' invariants.
Offensive:

Valija is rewritten into Cajita, which is rewritten by the cajoler into code with no free variables, so there's no way for valija code to get access statically to references other than by explicit grant
Runtime checks prevent dynamic access

Tools: Valija is a subset of JavaScript, so all the tools work unchanged.
Code: Nearly all of Javascript is supported

Tools

Web content is rewritten using the Java cajoler. There is a command-line version (bin/cajole_html), an interactive applet version (ant-www/testbed), a cajoling service on App Engine (http://caja.appspot.com), and a Java class for use by those that want to cajole code themselves (used by Yahoo! and Shindig, for example).

Sign in to add a comment