Ben Laurie blathering

Caja on Orkut

If you’ve been living in a box for the last couple of years, you might not know that Caja is an open source project I am involved in at Google to make the web safer. Specifically, it allows untrusted Javascript, HTML and CSS to be sandboxed in a very fine-grained way. For example, the untrusted content can be limited to a subset of the whole DOM, primordial objects can be replaced or removed, properties of objects can be protected (from read, write or execution) and any method can be removed, replaced or attenuated. Yet it is still possible to write fully-featured Javascript applications in Caja. And, as a bonus, Caja hides the differences between browsers – any code you write will Just Work on any supported browser.

Caja has long been used by Yahoo!, ironically, to protect users from malicious gadgets on their Application Platform but until recently has been a bit of a poor relative at Google. So, I’m pleased to report that it is now in use to protect Orkut users.

Because Caja is open source, we don’t necessarily find out when people use it: do you know of someone using Caja? Leave a comment!

1 Comment

  1. Hi Ben – I don’t know of any Caja deployments, but I do know of someone *still* waiting for his Caja t-shirt. Any chance you could cajole someone into sending it along? 😉 XL, please 🙂

    Comment by Pat Patterson — 21 Mar 2010 @ 2:21

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress