Ben Laurie blathering

Caja: Capability Javascript

I’ve been running a team at Google for a while now, implementing capabilities in Javascript. Fans of this blog will remember that long ago I did a thing called CaPerl. The idea in CaPerl was to compile a slightly modified version of Perl into Perl, enforcing capability security in the process.

Caja follows a similar path, except rather than modify Javascript, we restrict it to a large subset. This means that a Caja program will run without modification on a standard Javascript interpreter – though it won’t be secure, of course! When it is compiled then, like CaPerl, the result is standard Javascript that enforces capability security. What does this mean? It means that Web apps can embed untrusted third party code without concern that it might compromise either the application’s or the user’s security.

Caja will be open source, under the Apache License. We’re still debating whether we will drop our existing code for this as a starting point, or whether we want to take a different approach, but in any case, there’s plenty to be done.

Although the site has been up for a while, I was reluctant to talk about it until there was some way for you to be involved. Now there is – we have a public mailing list. Come along, read the docs (particularly the Halloween version of the spec) and join in the discussions. I’m very excited about this project and the involvement of some world class capability experts, including Mark Miller (of E fame) who is a full-time member of the Caja development team.


  1. Nice work!

    Comment by Danny — 1 Nov 2007 @ 17:22

  2. […] Laurie has posted some initial information about the Caja (Capability Javascript) project that he is leading at […]

    Pingback by Ted Leung on the Air » Blog Archive » Caja: Capability Javascript — 9 Nov 2007 @ 2:39

  3. Will Caja run the artificial
    AI Mind in JavaScript for Microsoft Internet Explorer (MSIE)?
    Better yet, can JavaScript or Caja be changed with regard to
    its security assumptions so that a JavaScript artificial intelligence
    becomes able to go out on the Web and read webpages as input?

    Comment by Mentifex — 9 Nov 2007 @ 15:56

  4. I’ve been following Caja for a few weeks now, and every day I get more excited about the possibilities. This would be a wonderful piece of technology to incorporate in our website ASAP. If possible, could you give us an idea of the overall architecture of the end product, and how it will be used in practice. It would be awesome if we could start coding our required infrastructure to host said technology.

    The way I understand it now is that Caja will come with a translator (written in Java and E?) that we will want to host on our backend to service script submissions. We will also want to code up our “device drivers” that allow safe access to the DOM and other global objects. How this latter process will work in Caja is a little fuzzy. Is it going to follow the powerbox pattern?

    All in all, any information on what we can do to get ready for Caja is appreciated. Thanks!

    Comment by Adam — 9 Nov 2007 @ 18:26

  5. Hey Ben,

    This is great news. Very exciting.
    I’ve been to thinking about how to apply capability discipline to javascript as well. I’ll definitely check out the spec.

    I’m curious about the approach that you describe above, involving a Caja compiler. Does the third party code also need to be run through this compiler to achieve the security properties?

    Do you really mean “embed untrusted third party code without concern that it might compromise…”?
    From my understanding, capabilities allow you to manage the security and isolation of your application/components/objects better, but not to ignore these concerns. I think it is a fairer description to say that capabilities let you manage these concerns. That’s why I like to talk about capability-based security as “authority-oriented design”: it is an extension of OO and it puts security concerns into the developer’s hands possibly to the granularity of an object.

    Comment by Julien Couvreur — 9 Nov 2007 @ 19:20

  6. You neglected to include this in it’s natural category, sex.

    Comment by Ben Hyde — 12 Nov 2007 @ 2:43

  7. […] Ben Laurie of Google comes out and talks about it. There is a spec: Using Caja, web apps can safely allow […]

    Pingback by Javascript News » Blog Archive » Capability JavaScript: JavaScript isn’t Caja — 12 Nov 2007 @ 20:16

  8. […] Laurie writes about Caja (”Capability Javascript”), a restricted subset of Javascript that supports safe […]

    Pingback by The Third Bit » Blog Archive » Link Soup Redux — 12 Nov 2007 @ 20:54

  9. […] By the way, the most interesting recent development in web application technology: Caja, or Capability Javascript. […]

    Pingback by Mike Linksvayer » gOS: the web takes and gives — 25 Nov 2007 @ 1:10

  10. […] is a perfect example of the kind of thing which Caja[1,2,3] is meant to fix.  We should all send positive thoughts in that projects direction at regular […]

    Pingback by Ascription is an Anathema to any Enthusiasm » Blog Archive » Mindreading webpages! — 31 May 2008 @ 14:39

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress