To add to Ben's points -- On Thu, Jul 16, 2009 at 9:05 AM, Ben Laurie<[email protected]> wrote: > Not necessary, but it might reduce your exposure to attacks if you > cajole as much as possible - that's unlikely to be all of it, though. > ... > The workspace has to know about Caja to the extent that it wants to > expose functions it provides to cajoled script. Other than that, you > are correct.
I think it depends on a couple of issues: 1. If you have a large existing codebase you plan to make part of the "container" page, and that codebase is not well-suited to cajoling for some reason, then you may want an un-cajoled container with cajoled gadgets. If you are building your container from scratch, you might want to consider the microkernel approach (described below...). 2. If your gadgets are pretty strictly isolated from the container state, and if cajoling the container would be expensive for you, then you will not see a huge return on your additional investment in time to cajole the container. However, if the container shares a bunch of state with the gadgets, cajoling the container would give you a bunch more confidence that this interaction with the (untrusted) gadgets is secure. Ideally, we in Caja land would love to see people build containers that *are* tightly coupled with their gadgets; in other words, the gadgets are "plugins" to the container functionality in a rich sense. After all, sharing convenient, direct, fine-grained object references under mutual suspicion is precisely what the capability security model underlying Caja enables so well. To that end, the *ideal* architecture is a "microkernel" where some startup code loads cajita.js, domita.js and a bunch of other support files, initializes a bunch of simple capabilities (e.g., a capability to "load a new gadget" from the network), then fires up a root module that accepts these capabilities and deals with managing the isolation -- *and* communication -- between the gadgets. In this situation, the root module acts as a "powerbox" as described here -- http://wiki.erights.org/wiki/Powerbox Taming un-cajoled code to communicate safely with cajoled code is a brittle process. The fact that the powerbox would be written in a capability safe language would be a great help to it in safely divvying up the authorities it has with less worries about vulnerabilities. Ihab -- Ihab A.B. Awad, Palo Alto, CA
