Caja (pronounced ) was a

Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...

project for sanitizing third party HTML, CSS and JavaScript. On January 31, 2021, Google archived the project due to known vulnerabilities and lack of maintenance to keep up with the latest web security research, recommending instead the Closure toolkit. Caja was designed by Google research scientist

Mark S. Miller Mark S. Miller is an American computer scientist. He is known for his work as one of the participants in the 1979 hypertext project known as Project Xanadu; for inventing Miller columns; and the open-source coordinator of the E programming lan ...

in 2008 as a JavaScript implementation for "virtual iframes" based on the principles of object-capabilities. It would take

JavaScript JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of Website, websites use JavaScript on the Client (computing), client side ...

(technically,

ECMAScript 5 ECMAScript is a JavaScript standard developed by Ecma International. Since 2015, major versions have been published every June. ECMAScript 2022, the 13th and current version, was released in June 2022. Versions In June 2004, Ecma International p ...

strict mode code),

HTML The HyperText Markup Language or HTML is the standard markup language for documents designed to be displayed in a web browser. It can be assisted by technologies such as Cascading Style Sheets (CSS) and scripting languages such as JavaScri ...

, and

CSS Cascading Style Sheets (CSS) is a style sheet language used for describing the presentation of a document written in a markup language such as HTML or XML (including XML dialects such as SVG, MathML or XHTML). CSS is a cornerstone techno ...

input and rewrite it into a safe subset of HTML and CSS, plus a single JavaScript function with no

free variable In mathematics, and in other disciplines involving formal languages, including mathematical logic and computer science, a free variable is a notation (symbol) that specifies places in an expression where substitution may take place and is not ...

s. That means the only way such a function could modify an object, was if it was given a

reference Reference is a relationship between objects in which one object designates, or acts as a means by which to connect to or link to, another object. The first object in this relation is said to ''refer to'' the second object. It is called a ''name'' ...

to the object by the host page. Instead of giving direct references to

DOM Dom or DOM may refer to: People and fictional characters * Dom (given name), including fictional characters * Dom (surname) * Dom La Nena (born 1989), stage name of Brazilian-born cellist, singer and songwriter Dominique Pinto * Dom people, an et ...

objects, the host page typically gives references to wrappers that sanitize HTML, proxy URLs, and prevent redirecting the page; this allowed Caja to prevent certain

phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...

and

cross-site scripting Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may ...

attacks, and prevent downloading

malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...

. Also, since all rewritten programs ran in the same frame, the host page could allow one program to export an object reference to another program; then inter-frame communication was simply method invocation. The word "caja" is Spanish for "box" or "safe" (as in a bank), the idea being that Caja could safely contain JavaScript programs as well as being a capabilities-based JavaScript. Caja was used by

in its

Google Apps Script Google Apps Script is a scripting platform developed by Google for light-weight application development in the Google Workspace platform. Google Apps Script was initially developed by Mike Harm as a side project while working as a developer on G ...

products. In 2008 MySpace and

Yahoo! Yahoo! (, styled yahoo''!'' in its logo) is an American web services provider. It is headquartered in Sunnyvale, California and operated by the namesake company Yahoo Inc., which is 90% owned by investment funds managed by Apollo Global Man ...

had both deployed a very early version of Caja.

References

External links

Caja project home page

Caja project source code

Caja playground

Caja draft specification
"Safe active content in sanitized JavaScript",

, Mike Samuel,

Ben Laurie Ben Laurie is an English software engineer. He is currently the Director of Security at The Bunker Secure Hosting. Laurie wrote Apache-SSL, the basis of most SSL-enabled versions of the Apache HTTP Server. He developed the MUD ''Gods'', which was ...

, Ihab Awad, Mike Stay
Yahoo!/Google Caja Javascript Sandbox
{{DEFAULTSORT:Caja Project Capability systems Transformation languages

See also

References

External links