I recently talked about our experiences developing applications for the Yahoo Open Platform. Caja is a system used by YAP (and resumable others close to OpenSocial/Google) that transforms ordinary HTML and Javascript into a more restricted form.

At its heart, Caja enables platform providers like Yahoo! to allow developers to use Javascript in their applications safetly.  Caja solves a similar problem that Facebook solves with its FBJS (Facebook Javascript), albeit in a more flexible fashion. Facebook solves the problem by provided a limit set of Javascript-like functions, tries to mirror some of their functionality with that of its server-based API, and provides very decent support for AJAX. Caja tries to solve the problem by support regular Javascript with some limitations.

The Yahoo Application Platform (YAP) is new as is Caja, so there are still a lot of kinks that need to be worked out. Some developers, however, seem to prefer the limit, yet working, set approach that Facebook offers versus the every should work (but it doesn’t exactly) that Caja and OpenSocial may have to offer.

As I mentioned, Caja – like many other technologies that originate at Google, is open-source so expect more companies to adopt this approach to limit XSS style attacks on their site. As one post by a Google devleloper working on the project claims “With the lauch of My Yahoo! and Yahoo! Mail gadgets, we’ve got 275 million users.” – partially true (first they have got to see the applications..before they can use them), so developers need to start taking a serious look at Caja and what Caja will mean for them. Tim Oren makes a similar (even stronger) point in his post on Web 2.0, Javascript and Caja.

In working we Caja, we had to come up with serveral not so trivial work-around based on the current limitations of Caja (XML parser for AJAX calls, ie) so working with (and around) Caja may not be trivial but hopefully will become a lot easier as these kinks are ironed out in future YAP releases.

Other Resources: