Jas, I made a bunch of changes here ... could you please look over this and confirm LGTM?
The idea is to whitelist into module objects exposed to Cajita by the module system only those properties of the "raw" Caja module literal that are necessary, and ensure these properties do not provide a communication channel (i.e., are transitively frozen). http://codereview.appspot.com/115041
