Try out Caja here!
Caja allows websites to safely embed DHTML web applications from third parties, and enables rich interaction between the embedding page and the embedded applications. It uses an object-capability security model to allow for a wide range of flexible security policies, so that the containing page can effectively control the embedded applications' use of user data and to allow gadgets to prevent interference between gadgets' UI elements.
Today, some websites embed third-party code using iframes. This approach does not prevent a wide variety of attacks: redirection to phishing pages which could pretend to be a login page for the embedding application; stopping the browser from working until the user downloads malware; stealing history information about which sites a user has visited so that more target phishing attacks can be done; and port scanning the user's local network. Finally, even though a website can choose not to give data to an iframe app, once it has done so it can place no further restrictions on what the iframe app can do with it — it cannot stop the iframe app from sending that data elsewhere.
Caja addresses these problems which are not addressed by iframe jails; and it does so in a very flexible way. If a container wishes to allow an embedded application to use a particular web service, but not to send arbitrary network requests, then it can give the application an object that interacts with that web service, but deny access to XMLHttpRequest. Under Caja, passing objects grants authority, and denying access to objects denies authority, as is typical in an object-capability environment. Information leakage can be prevented by allowing user data to be encapsulated in objects that can be rendered in user-readable form but not read by scripts ; we can prevent leakage without solving the problem of covert channels.
Contacting the Caja TeamDiscussionsOur discussion group is the best place to contact us. First posts are moderated to remove spam, so don't worry if your post doesn't show up immediately. You can also find team members on the #caja IRC channel on freenode.net.
Reporting Bugs & Security IssuesPlease report potential vulnerabilities using the private issue tracker, and bugs and feature requests via the public issue tracker. The Caja team encourages responsible disclosure, since production services rely on us for security. We will work to resolve the issue and make sure credit is given.
ContributingThe Caja team includes people from a number of different companies and some private individuals. If you would like to contribute, introduce yourself on our discussion group.
MotivationSome websites embed code in iframes, and pass user data between them. The use of these sites has thus far been limited to teenagers and others who are comfortable with some aspects of their lives being very public. The same development model — where one company provides a general storage layer for data, and third parties provide custom interfaces and extensions — has not been extended to systems that deal with valuable data.
This development model is promising, though. Large software companies have to target their user-interface efforts at a mythical average user; the high costs of researching and understanding the needs of niches of users means that user interfaces tend to suffer from the "lowest common denominator" effect. But there are many developers who understand niche markets, and know how to write custom user interfaces and workflows.
If we can safely embed third-party user interfaces and workflows into generic backends, we can encourage a market for embedded applications that will make the web experience much richer. Caja aims to allow that safe embedding.
Since web applications make common use of browser APIs, e.g. the DOM APIs, that give a huge amount of control over the web page, Caja provides tamed APIs that virtualize portions of the DOM. A containing page can set up the embedding application's environment so that the embedded application thinks it is interacting with the DOM of a full page, but is in fact only manipulating a bounded portion of the containing page via a mechanism called virtual iframes.
Cajoled GadgetUncajoled Gadget
Use Patent Claims
These details are provided for information only. No information here is legal advice and should not be used as such.
There are no reported vulnerabilities