On Thu, Jul 16, 2009 at 11:05 AM, Ben Laurie<[email protected]> wrote: > > On Thu, Jul 16, 2009 at 8:12 AM, Matthew Russell<[email protected]> > wrote: >> >> A colleague and I are discussing an effort to build/enhance a >> workspace similar to the "container" that is like the igoogle >> "workspace" i.e. the page that gadgets run in. From a security >> standpoint, is it necessary in any way that the workspace itself be >> cajoled or tamed? > > Not necessary, but it might reduce your exposure to attacks if you > cajole as much as possible - that's unlikely to be all of it, though. > >> We are starting to think that it wouldn't have to be cajoled or tamed >> at all, although this wasn't immediately obvious when we were locked >> into thinking about Caja so much. So long as the gadgets that run >> within the workspace are sufficiently sandboxed from one another by >> Caja and not in any way given references to the workspace, it seems >> that the workspace could have no knoweldge of Caja whatsoever without >> security impact on the gadgets running within it. > > The workspace has to know about Caja to the extent that it wants to > expose functions it provides to cajoled script. Other than that, you > are correct. > >> >> Does that make sense? We'd be glad to pay an expert with Caja a nice >> consulting rate to occasionally bounce questions off of and/or review >> design artifacts we are producing. If anyone is interested, we should >> chat about that... >
Excellent. Thanks for the clarifications Ben. > Obviously you can ask questions here for free... :-) > I totally appreciate all of the free advice on here and intend to keep making good use of it. The thing is, I have to ultimately turn in deliverables to a customer (that I couldn't post on here or share with the public) and sometimes it's nice to have an expert do a quick once over of the whole thing, identify gaps, etc.
