Posts Tagged ‘javascript’

Caja and JavaScript Security

People have been worrying about cross-site scripting, and have been careful in dealing with user input data, typically by filtering out undesired HTML elements. There are now certain applications that cannot afford to filter out user-generated scripts, such as gadgets in iGoogle and OpenSocial, and facebook applications. These applications must run user-submitted JavaScript, often inside the same webpages that are linked to very sensitive information. It would be a disaster if iGoogle gadgets get access to your GMail account, or a facebook application access your profile when you don’t want it to.

The sandbox feature of JavaScript language was not designed to handle this situation. IFrame can offer desired isolation of untrusted code, if you do it carefully, but it offers no¬†granularity in¬†control and it cannot stop some behavior such as redirecting page and initiating installation of plugins. Caja, which stands for capability JavaScript, is an emerging technique to “put untrusted third-party HTML and JavaScript inline in your page and still be secure”. There are similar offerings like Facebook’s FBJS, ADsafe, and also Microsoft’s Web SandBox. Similar concept is also applied to other programming languages.


Read Full Post »