HOME

TheInfoList



Click Here for Items Related To - Caja Project
OR:
Caja Project on:   [Wikipedia]   [Google]   [Amazon]

Caja (pronounced ) was a
Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronic ...
project for sanitizing third party HTML, CSS and JavaScript. On January 31, 2021, Google archived the project due to known vulnerabilities and lack of maintenance to keep up with the latest web security research, recommending instead the Closure toolkit. Caja was designed by Google research scientist Mark S. Miller in 2008 as a JavaScript implementation for "virtual iframes" based on the principles of object-capabilities. It would take
JavaScript JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of websites use JavaScript on the client side for webpage behavior, ofte ...
(technically, ECMAScript 5 strict mode code),
HTML The HyperText Markup Language or HTML is the standard markup language for documents designed to be displayed in a web browser. It can be assisted by technologies such as Cascading Style Sheets (CSS) and scripting languages such as JavaScript ...
, and
CSS Cascading Style Sheets (CSS) is a style sheet language used for describing the presentation of a document written in a markup language such as HTML or XML (including XML dialects such as SVG, MathML or XHTML). CSS is a cornerstone technol ...
input and rewrite it into a safe subset of HTML and CSS, plus a single JavaScript function with no
free variable In mathematics, and in other disciplines involving formal languages, including mathematical logic and computer science, a free variable is a notation (symbol) that specifies places in an expression where substitution may take place and is ...
s. That means the only way such a function could modify an object, was if it was given a
reference Reference is a relationship between objects in which one object designates, or acts as a means by which to connect to or link to, another object. The first object in this relation is said to ''refer to'' the second object. It is called a '' name'' ...
to the object by the host page. Instead of giving direct references to DOM objects, the host page typically gives references to wrappers that sanitize HTML, proxy
URL A Uniform Resource Locator (URL), colloquially termed as a web address, is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A URL is a specific type of Uniform Resource Identifi ...
s, and prevent redirecting the page; this allowed Caja to prevent certain
phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
and
cross-site scripting Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability m ...
attacks, and prevent downloading
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depr ...
. Also, since all rewritten programs ran in the same frame, the host page could allow one program to export an object reference to another program; then inter-frame communication was simply method invocation. The word "caja" is Spanish for "box" or "safe" (as in a bank), the idea being that Caja could safely contain JavaScript programs as well as being a capabilities-based JavaScript. Caja was used by
Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronic ...
in its
Google Apps Script Google Apps Script is a scripting platform developed by Google for light-weight application development in the Google Workspace platform. Google Apps Script was initially developed by Mike Harm as a side project while working as a developer on G ...
products. In 2008 MySpace and
Yahoo! Yahoo! (, styled yahoo''!'' in its logo) is an American web services provider. It is headquartered in Sunnyvale, California and operated by the namesake company Yahoo Inc., which is 90% owned by investment funds managed by Apollo Global Manag ...
had both deployed a very early version of Caja.


See also

* Joe-E, an object-capability subset of
Java Java (; id, Jawa, ; jv, ꦗꦮ; su, ) is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea to the north. With a population of 151.6 million people, Java is the world's mo ...
* E


References


External links


Caja project home page

Caja project source code

Caja playground

Caja draft specification
"Safe active content in sanitized JavaScript", Mark S. Miller, Mike Samuel, Ben Laurie, Ihab Awad, Mike Stay
Yahoo!/Google Caja Javascript Sandbox
{{DEFAULTSORT:Caja Project Capability systems Transformation languages