On Wed, Jul 11, 2012 at 12:05 PM, Mark S. Miller <[email protected]> wrote:
> [+google-caja-discuss] > > On Wed, Jul 11, 2012 at 11:24 AM, Kevin O <[email protected]> wrote: > > Thanks for the suggestion. Caja does seem like it's pretty robust but >> maybe more than I need. Plus, I would have to call out to a service every >> time I compile or re-implement the whole thing in node to use it. Neither >> is really an option, unfortunately. >> >> On Wednesday, 11 July 2012 13:17:23 UTC-4, Marcel wrote: >>> >>> Look at Google Caja, this does exactly what you describe. It's a very >>> complicated problem. >> >> > > Caja as a whole secures JS, html, css, and the browser/dom API. On Node, > the only relevant component is the securing of JS. > > Caja has two ways to secure JS. > > * For pre-ES5 systems, Caja uses a server-side translator to translate > from the secure subset of ES5 to ES3. This is the "very complicated" that > Marcel refers to. > > * For ES5 compliant systems, Caja uses a simple client-side > translation-free system, the SES (Secure EcmaScript) library[1], to enforce > that further code in that evaled in that context is limited to the > object-capability subset of ES5. > Forgot the punch line: Node is based on modern v8, and so is ES5 compliant. SES on Node should work fine. > > [1] http://es-lab.googlecode.com/svn/trunk/src/ses/initSES-minified.js > > sources at http://code.google.com/p/es-lab/source/browse/trunk/src/ses/ > and > http://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/ > -- Cheers, --MarkM -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
