Revision: 3701 Author: davidsarah.hopwood Date: Wed Sep 2 18:52:01 2009 Log: copyedit http://code.google.com/p/google-caja/source/detail?r=3701
Modified: /wiki/DraftNewHomePage.wiki ======================================= --- /wiki/DraftNewHomePage.wiki Wed Sep 2 18:29:24 2009 +++ /wiki/DraftNewHomePage.wiki Wed Sep 2 18:52:01 2009 @@ -3,35 +3,35 @@ <img src="http://google-caja.googlecode.com/svn/trunk/doc/images/invaders.png"; align="right" title="Invaders in a container are contained in what they can do"> Caja allows websites to <b>safely embed</b> DHTML web applications -from third-parties and enables <b>rich-interaction</b> between the +from third parties, and enables <b>rich-interaction</b> between the embedding page and the embedded applications. It uses an -<a href="http://en.wikipedia.org/wiki/Object-capability_model";>object-capabilities</a> security model to allow for a wide-range -of <b>flexible security policies</b> so that the containing page can +<a href="http://en.wikipedia.org/wiki/Object-capability_model";>object-capability security model</a> to allow for a wide-range +of <b>flexible security policies</b>, so that the containing page can effectively control the embedded applications' use of user data and to allow gadgets to prevent interference between gadgets' UI elements. Today, some websites embed third-party code using <tt>iframe</tt>s. This approach does not prevent a wide variety of attacks: <a href="http://code.google.com/p/google-caja/wiki/RedirectWithoutUserAction";>redirection to phishing pages</a> which could pretend to be a login -page for the embedding application, stopping the browser from working +page for the embedding application stopping the browser from working until the user -<a href="http://code.google.com/p/google-caja/wiki/RedirectWithoutUserAction";>downloads malware</a>, +<a href="http://code.google.com/p/google-caja/wiki/RedirectWithoutUserAction";>downloads malware</a>; <a href="http://code.google.com/p/google-caja/wiki/HistoryMining";>stealing history information</a> about which sites a user has visited -so that more target phishing attacks can be done, and +so that more target phishing attacks can be done; and <a href="http://code.google.com/p/google-caja/wiki/UrlFetchingSideChannel";>port scanning</a> the user's local network. Finally, even though a website can choose not to give its data to an <tt>iframe</tt> app, once it has -done so, it can place no further restrictions on what the <tt>iframe</tt> app +done so it can place no further restrictions on what the <tt>iframe</tt> app can do with it---it cannot stop the <tt>iframe</tt> app from sending that data elsewhere. Caja addresses these problems which are not addressed by <tt>iframe</tt> jails; and it does so in a very <b>flexible</b> way. If a container wishes to allow an embedded application to use a -particular web service, but not send arbitrary network requests, then +particular web service, but not to send arbitrary network requests, then it can give the application an object that interacts with that web service, but deny access to {{{XMLHttpRequest}}}. Under -Caja, <b>passing object grants authority, and denying access to -objects denies authority</b>, as is typical in an object capabilities +Caja, <b>passing objects grants authority, and denying access to +objects denies authority</b>, as is typical in an object-capability environment. ==Contacting the Caja Team== @@ -43,10 +43,10 @@ ===Reporting Bugs & Security Issues=== Please report bugs and potential vulnerabilities at the <a href="http://code.google.com/p/google-caja/issues/entry";>issue tracker</a>. -For security vulnerabilities, please mark it with the {{{Private}}} +For security vulnerabilities, please mark your issue with the {{{Private}}} label. The Caja team encourages -<a href="http://en.wikipedia.org/wiki/Responsible_disclosure";>responsible disclosure</a> since production services rely on us for -security and will work to resolve the issue and make sure credit is +<a href="http://en.wikipedia.org/wiki/Responsible_disclosure";>responsible disclosure</a>, since production services rely on us for +security. We will work to resolve the issue and make sure credit is given. ===Contributing=== @@ -56,32 +56,32 @@ our <a href="http://groups.google.com/group/google-caja-discuss";>discussion</a> group. ==Motivation== -Some websites embed code in <tt>iframe</tt>s, and pass user data. The use of +Some websites embed code in <tt>iframe</tt>s, and pass user data between them. The use of these sites has thus far been limited to teenagers and others who are comfortable with some aspects of their lives being very public. The same development model---where one company provides a general -storage layer for data, and third-parties provide custom interfaces +storage layer for data, and third parties provide custom interfaces and extensions---has not been extended to systems that deal with valuable data. This development model is promising, though. Large software companies have to target their user-interface efforts at a mythical average user; the high costs of researching and understanding the needs of -niches of users means user interfaces tend to suffer from the "lowest +niches of users means that user interfaces tend to suffer from the "lowest common denominator" effect. But there are many developers who understand niche markets, and know how to write custom user interfaces and workflows. -If we can safely embed third party user interfaces and workflows into -generic backends we can encourage a market for embedded applications that will make -the web experience much ricer. Caja aims to allow that safe embedding. +If we can safely embed third-party user interfaces and workflows into +generic backends, we can encourage a market for embedded applications that will make +the web experience much richer. Caja aims to allow that safe embedding. ==What is Caja== Caja (pronounced "KA-ha"), is a Spanish word that means box, bank, cash register, vault; a container for valuables. A <b>web developer uses traditional tools</b> like HTML, JavaScript, and CSS; and Caja provides a compiler (a "cajoler") that takes the -web application and produces a "cajoled" HTML web application: it tries to +web application and produces a "cajoled" HTML web application. The cajoler tries to verify security properties by doing static analysis, and where it cannot it rewrites the input to add runtime checks. @@ -90,16 +90,16 @@ provides <a href="http://www.erights.org/elib/legacy/taming.html";>tamed</a> APIs that virtualize portions of the DOM. A containing page can set up the embedding application's environment so that the embedded -application thinks it is interacting with a full page DOM, but is only +application thinks it is interacting with the DOM of a full page, but is in fact only manipulating a bounded portion of the containing page via a mechanism called <b>virtual iframes</b>. The JavaScript that a Caja application uses is written in a <a href="http://en.wikipedia.org/wiki/Fail-stop";>fail stop -subset</a> of JavaScript (actually EcmaScript5). This subset +subset</a> of JavaScript (actually EcmaScript5). This subset, called "Valija", includes almost the entire JavaScript language, but removes a few -error prone constructs such as {{{with}}} and confines how {{{eval}}} -can be used. +error-prone constructs such as {{{with}}} and restricts how {{{eval}}} +may be used. ==News==
![http://google-caja.googlecode.com/svn/trunk/doc/images/invaders.png"](https://google-caja.googlecode.com/svn/trunk/doc/images/invaders.png"){kind=link}