On Thu, Jul 16, 2009 at 8:12 AM, Matthew Russell<[email protected]> wrote: > > A colleague and I are discussing an effort to build/enhance a > workspace similar to the "container" that is like the igoogle > "workspace" i.e. the page that gadgets run in. From a security > standpoint, is it necessary in any way that the workspace itself be > cajoled or tamed?
Not necessary, but it might reduce your exposure to attacks if you cajole as much as possible - that's unlikely to be all of it, though. > We are starting to think that it wouldn't have to be cajoled or tamed > at all, although this wasn't immediately obvious when we were locked > into thinking about Caja so much. So long as the gadgets that run > within the workspace are sufficiently sandboxed from one another by > Caja and not in any way given references to the workspace, it seems > that the workspace could have no knoweldge of Caja whatsoever without > security impact on the gadgets running within it. The workspace has to know about Caja to the extent that it wants to expose functions it provides to cajoled script. Other than that, you are correct. > > Does that make sense? We'd be glad to pay an expert with Caja a nice > consulting rate to occasionally bounce questions off of and/or review > design artifacts we are producing. If anyone is interested, we should > chat about that... Obviously you can ask questions here for free... :-)
