Short version: The old version of Caja, called "es5/3", requires rewriting untrusted JS to safe JS, and the rewrite is implemented in Java. It works for most browsers, but the rewritten JS is big and slow.
The new version of Caja, called "es5", constructs a JS sandbox using new JS features like strict mode. Untrusted JS is run directly in the sandbox. This is smaller and lighter than es5/3, but still somewhat bigger and slower than normal JS execution. es5 only works on newer browsers. In particular, IE<10 won't work, and I'm not sure if IE10 does work right now, nobody has been looking at it. (I lied: es5 does include a client-side JS rewriter, but it's a few small rewrites, and it's mostly about plastering over a few differences between sandboxed-JS and normal JS.) On Mon, Sep 9, 2013 at 4:54 PM, Ryan Baxter <rbaxte...@apache.org> wrote: > Felix, do you have details on how the new client side approach works? > > On Mon, Sep 9, 2013 at 6:56 PM, felix <feli...@gmail.com> wrote: >> The Caja support in Shindig is many versions out of date and not >> particularly maintained. AFAIK nobody uses it. >> >> The Caja project is moving toward a purely client-side JS >> implementation of Caja that works in modern browsers, and we're >> planning on removing the server-side Java code sometime this year. >> Updating Shindig to use the newer Caja is plausible, but seems >> pointless if nobody is using it. >> >> Any objection to removing the Caja from Shindig? I can write up the patch.
