Yahoo!/Google Caja Javascript Sandbox

Categories: yahoo — admin at 4:52 pm

I recently talked about our experiences developing applications for the Yahoo Open Platform. Caja is a system used by YAP (and resumable others close to OpenSocial/Google) that transforms ordinary HTML and Javascript into a more restricted form.

At its heart, Caja enables platform providers like Yahoo! to allow developers to use Javascript in their applications safetly. Caja solves a similar problem that Facebook solves with its FBJS (Facebook Javascript), albeit in a more flexible fashion. Facebook solves the problem by provided a limit set of Javascript-like functions, tries to mirror some of their functionality with that of its server-based API, and provides very decent support for AJAX. Caja tries to solve the problem by support regular Javascript with some limitations.

The Yahoo Application Platform (YAP) is new as is Caja, so there are still a lot of kinks that need to be worked out. Some developers, however, seem to prefer the limit, yet working, set approach that Facebook offers versus the every should work (but it doesn’t exactly) that Caja and OpenSocial may have to offer.

As I mentioned, Caja – like many other technologies that originate at Google, is open-source so expect more companies to adopt this approach to limit XSS style attacks on their site. As one post by a Google devleloper working on the project claims “With the lauch of My Yahoo! and Yahoo! Mail gadgets, we’ve got 275 million users.” – partially true (first they have got to see the applications..before they can use them), so developers need to start taking a serious look at Caja and what Caja will mean for them. Tim Oren makes a similar (even stronger) point in his post on Web 2.0, Javascript and Caja.

In working we Caja, we had to come up with serveral not so trivial work-around based on the current limitations of Caja (XML parser for AJAX calls, ie) so working with (and around) Caja may not be trivial but hopefully will become a lot easier as these kinks are ironed out in future YAP releases.

Other Resources:

Most Recent Posts

Google is Indexing Adobe Flash Files (SWFs) - SEO for Flash Widgets? - December 16th, 2009
Widget News and Trends: Dec 16, 2009 - December 16th, 2009
Recent Widget Blog Posts - December 15th, 2009
Matthew West's Facebook Page - Why Every Artist Needs One! - December 14th, 2009
CareerBuilder "Re-selling" Facebook? Yikes! - December 14th, 2009

Last 5 posts in yahoo

Developing on the Yahoo! Open Application Platform - June 24th, 2009
Yahoo! Open Applications (YAP) - April 1st, 2009

Sphere: Related Content

Caja allows developers to put "untrusted" third-party HTML and JavaScript inline in your page and still be secure. Here are some of Caja's features: Caja gives stricter control over what Javascript is allowed to do including disabling redirects to phishing pages, proxying URL and eliminating XSS (HTML sanitizated dynamiclty). Caja allows the untrusted code more power than is safe to give to code currently in iframes. Here are some possible applications:floating DIVs (rectangular and non-rectangular), frames can communicate without the current awkward protocols, readers than can broadcast geographic information about the current article; a maps widget jumps to the location, while a news gadget gets local stories and a weather widget financial info or entertainment info, extensible syntax could have plugins that can mark up text, hosting social network and media page can control gadgets and widgets on them.

Comments (1)

June 29, 2009