Caja project

Caja (pronounced /ˈkɑːhɑː/ KAH-hah)^[1] is a Google project and a JavaScript implementation for "virtual iframes" based on the principles of object-capabilities. Caja takes JavaScript (technically, ECMAScript 5 strict mode code), HTML, and CSS input and rewrites it into a safe subset of HTML and CSS, plus a single JavaScript function with no free variables. That means the only way such a function can modify an object is if it is given a reference to the object by the host page. Instead of giving direct references to DOM objects, the host page typically gives references to wrappers that sanitize HTML, proxy URLs, and prevent redirecting the page; this allows Caja to prevent certain phishing attacks, prevent cross-site scripting attacks, and prevent downloading malware. Also, since all rewritten programs run in the same frame, the host page can allow one program to export an object reference to another program; then inter-frame communication is simply method invocation.

The word "caja" is Spanish for "box" or "safe" (as in a bank), the idea being that Caja can safely contain JavaScript programs as well as being a capabilities-based JavaScript.

Caja is currently used by Google in its Orkut,^[2] Google Sites,^[3] and Google Apps Script^[4] products; in 2008 MySpace^[5]^[6] and Yahoo!^[7] had both deployed a very early version of Caja but later abandoned it.

Look up caja#Spanish in Wiktionary, the free dictionary.

References

↑ Note about pronunciation, October 2007.
↑ orkut Developer Blog: Caja Available on orkut, 2010/03/09, retrieved 2010/04/21
↑ Insert custom HTML, CSS, and Javascript, retrieved 2012/04/16
↑ Html Service: Caja Sanitization 2013/06/28, retrieved 2013/07/25
↑ MySpace: Caja JavaScript scrubbing ready for prime time, 2008/02/04, retrieved 2008/06/08
↑ Tim Oren's Due Diligence: Web 2.0 Investors: Pay Attention To Caja, 2008/04/11, retrieved 2008/06/08
↑ OpenSocial API Blog: Launched: Yahoo!'s First Implementation of OpenSocial Support, 2008/10/28, retrieved 2008/11/15

External links

Caja project home page
Caja project source code
Caja playground
Caja draft specification: "Safe active content in sanitized JavaScript", Mark S. Miller, Mike Samuel, Ben Laurie, Ihab Awad, Mike Stay
Yahoo!/Google Caja Javascript Sandbox

Object-capability security

Concepts	Principle of least authority (POLA) Confused deputy problem Ambient authority File descriptor C-list Object-capability model Capability-based security Capability-based addressing Zooko's triangle Petnames

OS kernels	Hydra NLTSS KeyKOS EROS CapROS Coyotos Midori Fuchsia

Programming languages	Joule E Joe-E Cajita BitC

Filesystems	Tahoe-LAFS

Specialised hardware	Plessey System 250 Cambridge CAP IBM System/38 Intel iAPX 432

ECMAScript

Dialects

Engines
(comparison)

Carakan
Futhark
InScript
JavaScriptCore
- SquirrelFish
JScript
KJS
Linear B
Narcissus
QtScript
Rhino
SpiderMonkey
- TraceMonkey
- JägerMonkey
Tamarin
V8
Chakra (JavaScript engine)
JScript .NET
Nashorn

Frameworks

Client-side	Ample SDK Chaplin.js Dojo Echo Ext JS Google Web Toolkit jQuery Lively Kernel midori MochiKit MooTools Prototype Pyjamas qooxdoo Rialto Rico script.aculo.us SmartClient SproutCore Spry Wakanda Framework YUI Library

Server-side	AppJet Jaxer Node.js WakandaDB

Multiple	Cappuccino Objective-J PureMVC

Libraries	Backbone.js SWFObject SWFAddress Underscore.js

People

Other

Lists: JavaScript libraries; Ajax frameworks
Comparisons: JavaScript frameworks; server-side JavaScript

Google

Overview

Advertising

Communication

Software

Platforms

Account
Android
- version history
- software development
- Android Auto
- Android Pay
- Android TV
- Android Wear
Authenticator
Body
Books
- Library Project
Caja
Cardboard
Cast
Chromecast
Chrome OS
- Chromebit
- Chromebook
- Chromebox
- Chrome Zone
Cloud Platform
- App Engine
- BigQuery
- BigTable
- Compute Engine
- Storage
Contact Lens
Custom Search
Dart
Daydream
Earth Engine
Fit
GFS
Glass
Go
G Suite
- Classroom
Home
Jamboard
Marketplace
Native Client
Nexus
OnHub
OpenSocial
Pixel
Play
- Books
- Games
- Movies & TV
- Music
- Newsstand
Public DNS
Wallet
Wifi

Development
tools

Publishing

Search
(timeline)

Algorithms	PageRank Panda Penguin Hummingbird

Features	Web History Personalized Real-Time Instant Search SafeSearch Voice Search

Analysis	Insights for Search Trends Knowledge Graph Knowledge Vault

Discontinued

People

Founders	Larry Page Sergey Brin

Other

Events	Science Fair Searchology I/O Developer Day AtGoogleTalks Code Jam Highly Open Participation Contest Code-in

Projects	Ara Loon Tango Sunroof

Real estate	111 Eighth Avenue Googleplex

Logo	Doodle4Google Google Doodles

Category
Portal

This article is issued from Wikipedia - version of the 6/25/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.

Caja project

See also

References

External links