Extract from Caja Home Page
Caja (pronounced "KA-ha") is "virtual iframes": it allows you to put untrusted third-party HTML and JavaScript inline in your page and still be secure. Caja
- gives stricter control over what the code can do:
- no redirects to phishing pages: the window object the untrusted code has is a fake one created by the containing page
- no malware: all requests to URLs are proxied
- no XSS: dynamic HTML sanitization
- allows the untrusted code more power than is safe to give to code currently in iframes. Here are some possibilities:
- floating frames ("info windows")
- frames don't have to be rectangular
- frames can communicate without the current awkward protocols
- a reader could broadcast geographic information about the current article; a maps gadget jumps to the location, while a news gadget gets local stories and a weather gadget pulls up the weather
- similarly for financial info or entertainment info
- an extensible syntax highlighter could have plugins that can mark up text but not leak the contents to another website
- can be a bit channel (can only send information) or a code channel (can send functions)
- hosting page can control who talks to whom
No comments:
Post a Comment