World Library  
Flag as Inappropriate
Email this Article

Caja project

Article Id: WHEBN0017841155
Reproduction Date:

Title: Caja project  
Author: World Heritage Encyclopedia
Language: English
Subject: Joe-E, Google Sites, V8 (JavaScript engine), Asynchronous module definition, InScript (JavaScript engine)
Publisher: World Heritage Encyclopedia

Caja project

Caja (pronounced )[1] is a Google project and a JavaScript implementation for "virtual iframes" based on the principles of object-capabilities. Caja takes JavaScript (technically, ECMAScript 5 strict mode code), HTML, and CSS input and rewrites it into a safe subset of HTML and CSS, plus a single JavaScript function with no free variables. That means the only way such a function can modify an object is if it is given a reference to the object by the host page. Instead of giving direct references to DOM objects, the host page typically gives references to wrappers that sanitize HTML, proxy URLs, and prevent redirecting the page; this allows Caja to prevent certain phishing attacks, prevent cross-site scripting attacks, and prevent downloading malware. Also, since all rewritten programs run in the same frame, the host page can allow one program to export an object reference to another program; then inter-frame communication is simply method invocation.

The word "caja" is Spanish for "box" or "safe" (as in a bank), the idea being that Caja can safely contain JavaScript programs as well as being a capabilities-based JavaScript.

Caja is currently used by Google in its Orkut,[2] Google Sites,[3] and Google Apps Script[4] products; in 2008 MySpace[5][6] and Yahoo![7] had both deployed a very early version of Caja but later abandoned it.

See also


  1. ^ Note about pronunciation, October 2007.
  2. ^ orkut Developer Blog: Caja Available on orkut, 2010/03/09, retrieved 2010/04/21
  3. ^ Insert custom HTML, CSS, and Javascript, retrieved 2012/04/16
  4. ^ Html Service: Caja Sanitization 2013/06/28, retrieved 2013/07/25
  5. ^ MySpace: Caja JavaScript scrubbing ready for prime time, 2008/02/04, retrieved 2008/06/08
  6. ^ Tim Oren's Due Diligence: Web 2.0 Investors: Pay Attention To Caja, 2008/04/11, retrieved 2008/06/08
  7. ^ OpenSocial API Blog: Launched: Yahoo!'s First Implementation of OpenSocial Support, 2008/10/28, retrieved 2008/11/15

External links

  • Caja project home page
  • Caja project source code
  • Caja playground
  • Caja draft specification: "Safe active content in sanitized JavaScript", Mark S. Miller, Mike Samuel, Ben Laurie, Ihab Awad, Mike Stay
  • Yahoo!/Google Caja Javascript Sandbox
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.