HOME

TheInfoList



Click Here for Items Related To - Caja (programming Language)
OR:
Caja (programming Language) on:   [Wikipedia]   [Google]   [Amazon]

Caja (pronounced ) was a Google project for sanitizing third party HTML, CSS and JavaScript. On January 31, 2021, Google archived the project due to known vulnerabilities and lack of maintenance to keep up with the latest web security research, recommending instead the Closure toolkit. Caja was designed by Google research scientist
Mark S. Miller Mark S. Miller is an American computer scientist. He is known for his work as one of the participants in the 1979 hypertext project known as Project Xanadu; for inventing Miller columns; and the open-source coordinator of the E programming lan ...
in 2008 as a JavaScript implementation for "virtual iframes" based on the principles of object-capabilities. It would take JavaScript (technically, ECMAScript 5 strict mode code), HTML, and
CSS Cascading Style Sheets (CSS) is a style sheet language used for describing the presentation of a document written in a markup language such as HTML or XML (including XML dialects such as SVG, MathML or XHTML). CSS is a cornerstone techno ...
input and rewrite it into a safe subset of HTML and CSS, plus a single JavaScript function with no free variables. That means the only way such a function could modify an object, was if it was given a reference to the object by the host page. Instead of giving direct references to
DOM Dom or DOM may refer to: People and fictional characters * Dom (given name), including fictional characters * Dom (surname) * Dom La Nena (born 1989), stage name of Brazilian-born cellist, singer and songwriter Dominique Pinto * Dom people, an et ...
objects, the host page typically gives references to wrappers that sanitize HTML, proxy
URL A Uniform Resource Locator (URL), colloquially termed as a web address, is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A URL is a specific type of Uniform Resource Identifie ...
s, and prevent redirecting the page; this allowed Caja to prevent certain phishing and cross-site scripting attacks, and prevent downloading
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
. Also, since all rewritten programs ran in the same frame, the host page could allow one program to export an object reference to another program; then inter-frame communication was simply method invocation. The word "caja" is Spanish for "box" or "safe" (as in a bank), the idea being that Caja could safely contain JavaScript programs as well as being a capabilities-based JavaScript. Caja was used by Google in its Google Apps Script products. In 2008 MySpace and Yahoo! had both deployed a very early version of Caja.


See also

*
Joe-E Joe-E is a subset of the Java programming language intended to support programming according to object-capability discipline. The language is notable for being an early object-capability subset language. It has influenced later subset languages ...
, an object-capability subset of Java * E


References


External links


Caja project home page

Caja project source code

Caja playground

Caja draft specification
"Safe active content in sanitized JavaScript",
Mark S. Miller Mark S. Miller is an American computer scientist. He is known for his work as one of the participants in the 1979 hypertext project known as Project Xanadu; for inventing Miller columns; and the open-source coordinator of the E programming lan ...
, Mike Samuel, Ben Laurie, Ihab Awad, Mike Stay
Yahoo!/Google Caja Javascript Sandbox
{{DEFAULTSORT:Caja Project Capability systems Transformation languages