Caja: Capability Javascript

R.A. Hettinga rah at shipwright.com
Thu Nov 8 20:47:22 PST 2007 

<http://www.links.org/?p=271>

Links

Ben Laurie blathering

+ On Liberty

Ancient History ;

Caja: Capability Javascript

I've been running a team at Google for a while now, implementing
capabilities in Javascript. Fans of this blog will remember that long ago I
did a thing called CaPerl. The idea in CaPerl was to compile a slightly
modified version of Perl into Perl, enforcing capability security in the
process.

Caja follows a similar path, except rather than modify Javascript, we
restrict it to a large subset. This means that a Caja program will run
without modification on a standard Javascript interpreter - though it won't
be secure, of course! When it is compiled then, like CaPerl, the result is
standard Javascript that enforces capability security. What does this mean?
It means that Web apps can embed untrusted third party code without concern
that it might compromise either the application's or the user's security.

Caja will be open source, under the Apache License. We're still debating
whether we will drop our existing code for this as a starting point, or
whether we want to take a different approach, but in any case, there's
plenty to be done.

Although the site has been up for a while, I was reluctant to talk about it
until there was some way for you to be involved. Now there is - we have a
public mailing list. Come along, read the docs (particularly the Halloween
version of the spec) and join in the discussions. I'm very excited about
this project and the involvement of some world class capability experts,
including Mark Miller (of E fame) who is a full-time member of the Caja
development team.

Share This

This entry was posted on Thursday, November 1st, 2007 at 11:44 and is filed
under Capabilities, Open Source, Programming, Security. You can follow any
responses to this entry through the RSS 2.0 feed. You can leave a response,
or trackback from your own site.


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list