Hi, I think the answer to my inquiry is simply "no", but I am hoping for confirmation and/or guidance on alternative approaches.
I am working on a payment service that allows organizations to supply their own branded pages for the checkout page flow (enter payment information, verify data, receive confirmation). We will host the pages in our secure environment. The payment form must satisfy an established contract (use POST, not be multi-part, include a required set of form fields, etc.). We will also insert the content for dynamic/sensitive parts of the verification and confirmation pages. Other than that, the idea is to give the organization complete flexibility to design the pages however they like. We would like to automatically guarantee that the page does not contain vulnerabilities that could compromise payment card information, hopefully without having to ban all third-party javascript from the published pages. In particular, we would ideally like to "wall off" the parts of the DOM containing the most sensitive fields (credit card number, expiration date, CVV), such that untrusted scripts cannot access it all. The vulnerabilities may be introduced by accident or maliciously (evil person figures out a way to publish a hacked form through our admin interface). Would Caja help us solve this problem? From reading the docs it seems like we might be able to do the following: 1) document a standard white list of script capabilities that organizations can leverage in their page designs 2) disallow script tags in the document head element. 3) cajole the entire body of each page as a single module. 4) implement a container that recreates the head element from the original design (link and style elements), and renders the single body module. My first question is whether this approach would work at all. Even if this approach works under model circumstances, however, it does not seem like a viable real-world solution. Designers will not necessarily supply "clean" markup and scripts or be able to follow the white list easily. Realistically, I suspect that the only reasonably safe approach is to ban all scripting from the submitted designs. Thanks in advance for your response and any general advice you might have on this problem.
