Caja project

Caja (pronounced /ˈkɑːhɑː/ KAH-hah)^[1] was a Google project for sanitizing third party HTML, CSS and JavaScript. On January 31, 2021, Google archived the project due to known vulnerabilities and lack of maintenance to keep up with the latest web security research, recommending instead the Closure toolkit.^[2]

The Caja project was led by

DOM objects, the host page typically gives references to wrappers that sanitize HTML, proxy URLs, and prevent redirecting the page; this allowed Caja to prevent certain phishing and cross-site scripting attacks, and prevent downloading malware

. Also, since all rewritten programs ran in the same frame, the host page could allow one program to export an object reference to another program; then inter-frame communication was simply method invocation.

The word "caja" is Spanish for "box" or "safe" (as in a bank), the idea being that Caja could safely contain JavaScript programs as well as being a capabilities-based JavaScript.

Caja was used by

MySpace^[6]^[7] and Yahoo!^[8]

had both deployed a very early version of Caja.

References

^ Mark, Miller. "Caja discussion on the Caplet Group". [cap-talk]. [e-lang]. Archived from the original on 17 May 2008.
^ "Introduction - Caja". Google Developers. Archived from the original on 22 January 2021.
^ Miller, Mark S.; Samuel, M; Laurie, B; Awad, I; Stay, M (7 June 2008). "Safe active content in sanitized JavaScript". Google Scholar.
^ Synodinos, Dio (25 February 2011). "ECMAScript 5, Caja and Retrofitting Security, with Mark S. Miller". InfoQ.
^ "Html Service: Caja Sanitization". Google Developers. Archived from the original on 26 August 2013.
^ "MySpace: Caja JavaScript scrubbing ready for prime time". 4 February 2008. Archived from the original on 1 October 2008.
^ "Web 2.0 Investors: Pay Attention To Caja". Tim Oren's Due Diligence. 11 April 2008.
^ Pullara, Sam (28 October 2008). "OpenSocial API Blog: Launched: Yahoo!'s First Implementation of OpenSocial Support". OpenSocial. Archived from the original on 16 December 2008.

External links

Caja project home page
Caja project source code
Caja playground
Caja draft specification: "Safe active content in sanitized JavaScript", Mark S. Miller, Mike Samuel, Ben Laurie, Ihab Awad, Mike Stay
Yahoo!/Google Caja Javascript Sandbox

[1] Mark, Miller. "Caja discussion on the Caplet Group". [cap-talk]. [e-lang]. Archived from the original on 17 May 2008.

[2] "Introduction - Caja". Google Developers. Archived from the original on 22 January 2021.

[3] Miller, Mark S.; Samuel, M; Laurie, B; Awad, I; Stay, M (7 June 2008). "Safe active content in sanitized JavaScript". Google Scholar.

[4] Synodinos, Dio (25 February 2011). "ECMAScript 5, Caja and Retrofitting Security, with Mark S. Miller". InfoQ.

[5] "Html Service: Caja Sanitization". Google Developers. Archived from the original on 26 August 2013.

[6] "MySpace: Caja JavaScript scrubbing ready for prime time". 4 February 2008. Archived from the original on 1 October 2008.

[7] "Web 2.0 Investors: Pay Attention To Caja". Tim Oren's Due Diligence. 11 April 2008.

[8] Pullara, Sam (28 October 2008). "OpenSocial API Blog: Launched: Yahoo!'s First Implementation of OpenSocial Support". OpenSocial. Archived from the original on 16 December 2008.

[1]

[2]

[6]

[7]

[8]

v t e Object-capability security
Concepts	Principle of least privilege (PoLP) Confused deputy problem Ambient authority File descriptor C-list Object-capability model Capability-based security Capability-based addressing Zooko's triangle Petnames
Operating systems, kernels	Capsicum Fuchsia Genode GNOSIS → KeyKOS → EROS → CapROS Hydra iMAX 432 Midori NLTSS seL4 HarmonyOS (HarmonyOS NEXT) Phantom OS
Programming languages	Cajita E Joe-E Joule
File systems	Tahoe-LAFS
Specialised hardware	BiiN Cambridge CAP Flex IBM System/38 Intel iAPX 432 Plessey System 250

v t e ECMAScript
Dialects	ActionScript Caja JavaScript engines asm.js JScript JScript .NET QtScript TypeScript WMLScript
Engines (comparison)	Carakan Futhark InScript JavaScriptCore JScript KJS Linear B QtScript Rhino SpiderMonkey TraceMonkey JägerMonkey Tamarin V8 ChakraCore Chakra JScript .NET Nashorn
Client-side	Dojo Echo Ext JS Google Web Toolkit jQuery Lively Kernel midori MochiKit MooTools Prototype Pyjs qooxdoo SproutCore Spry Wakanda Framework
Server-side	Node.js Deno Bun Jaxer AppJet WakandaDB
Multiple	Cappuccino
Libraries	Backbone.js SWFObject Underscore.js

See also

References

External links