Comments on: Making JavaScript Safe with Google Caja http://ajaxian.com/archives/making-javascript-safe-with-google-caja Cleaning up the web with Ajax Thu, 09 Feb 2012 06:55:33 +0000 hourly 1 http://wordpress.org/?v=3.2 By: maddesa http://ajaxian.com/archives/making-javascript-safe-with-google-caja/comment-page-1#comment-275728 maddesa Wed, 30 Sep 2009 18:04:18 +0000 http://ajaxian.com/archives/making-javascript-safe-with-google-caja#comment-275728 @Aphrodisiac yes google is behind this. There was a great presentation on this at The Ajax Experience in Boston two weeks ago. @misuba not to speak for the project, Caja basically reads in a third party script, and rewrites it in a safe way. it allows you to compose application from untrusted third parties and even enables communication between those scripts. @Jim I think you have to remember that users of this site don't accurately represent everyday users. I know this may sound crazy, but most people barely know what a browser is, never mind putting thought into which one is better, faster, safer. Most people just know that the Big Blue E that "came with" their computer is the internet. @Aphrodisiac yes google is behind this. There was a great presentation on this at The Ajax Experience in Boston two weeks ago.

@misuba not to speak for the project, Caja basically reads in a third party script, and rewrites it in a safe way. it allows you to compose application from untrusted third parties and even enables communication between those scripts.

@Jim I think you have to remember that users of this site don’t accurately represent everyday users. I know this may sound crazy, but most people barely know what a browser is, never mind putting thought into which one is better, faster, safer. Most people just know that the Big Blue E that “came with” their computer is the internet.

]]> By: Aphrodisiac http://ajaxian.com/archives/making-javascript-safe-with-google-caja/comment-page-1#comment-266275 Aphrodisiac Thu, 31 Jul 2008 10:26:26 +0000 http://ajaxian.com/archives/making-javascript-safe-with-google-caja#comment-266275 is google behind this? is google behind this?

]]> By: misuba http://ajaxian.com/archives/making-javascript-safe-with-google-caja/comment-page-1#comment-257175 misuba Mon, 15 Oct 2007 16:10:11 +0000 http://ajaxian.com/archives/making-javascript-safe-with-google-caja#comment-257175 This is all great, but... what IS Caja exactly? This is all great, but… what IS Caja exactly?

]]> By: Thomas Hansen http://ajaxian.com/archives/making-javascript-safe-with-google-caja/comment-page-1#comment-257140 Thomas Hansen Sun, 14 Oct 2007 00:01:40 +0000 http://ajaxian.com/archives/making-javascript-safe-with-google-caja#comment-257140 I think it's really sad that such a great developer as Douglas is determined on "fixing something that's NOT broken"... :( BTW security in Ajax is a NON-issue if you're using a server-centric Ajax Framework like e.g. Gaia Ajax Widgets... If I were to "break" the language and don't think about backwards compatibility I'd say it's a 100 times more important to bring in namespaces and avoid the "garbage bin" of "window.x" - global "namespace"... I think it’s really sad that such a great developer as Douglas is determined on “fixing something that’s NOT broken”… :(
BTW security in Ajax is a NON-issue if you’re using a server-centric Ajax Framework like e.g. Gaia Ajax Widgets…
If I were to “break” the language and don’t think about backwards compatibility I’d say it’s a 100 times more important to bring in namespaces and avoid the “garbage bin” of “window.x” – global “namespace”…

]]> By: Christian Pulcinelli http://ajaxian.com/archives/making-javascript-safe-with-google-caja/comment-page-1#comment-257131 Christian Pulcinelli Sat, 13 Oct 2007 17:33:04 +0000 http://ajaxian.com/archives/making-javascript-safe-with-google-caja#comment-257131 Javascript is a strong way to make a site look more "cool" or easy to use but all the people i know think twice before using javascript to manage data, they prefer many other languages but all of them would be happy to manage all from one language, otherwise using one for a feauture and one for another... why the "bosses" don't work on this? Javascript is a strong way to make a site look more “cool” or easy to use but all the people i know think twice before using javascript to manage data, they prefer many other languages but all of them would be happy to manage all from one language, otherwise using one for a feauture and one for another… why the “bosses” don’t work on this?

]]> By: Vytas http://ajaxian.com/archives/making-javascript-safe-with-google-caja/comment-page-1#comment-257116 Vytas Sat, 13 Oct 2007 07:21:54 +0000 http://ajaxian.com/archives/making-javascript-safe-with-google-caja#comment-257116 Post advertisement at http://fivq.com/ . There you can offer your services, find gigs (short term jobs) or long term jobs. It is good place who would like to work remotely. Also there you can promote your website, your services. Between its absolutely free to post and no registration needed. Post advertisement at http://fivq.com/ . There you can offer your services, find gigs (short term jobs) or long term jobs. It is good place who would like to work remotely. Also there you can promote your website, your services. Between its absolutely free to post and no registration needed.

]]> By: Jim http://ajaxian.com/archives/making-javascript-safe-with-google-caja/comment-page-1#comment-257108 Jim Sat, 13 Oct 2007 00:21:07 +0000 http://ajaxian.com/archives/making-javascript-safe-with-google-caja#comment-257108 Seems to me that everyday users need to be able to clearly see what information is being sent from their browser and to what destination--along with a control for permitting it and denying it. This way individuals remain responsible for their own information, privacy, etc and are empowered to control it (along with firewall, adblockers, etc). Personally I see this as having way more longevity, reliability and simplicity than fixing/changing the languages/technologies across all the browsers, getting everyone to use the new products, educating developers, etc, etc. Seems to me that everyday users need to be able to clearly see what information is being sent from their browser and to what destination–along with a control for permitting it and denying it. This way individuals remain responsible for their own information, privacy, etc and are empowered to control it (along with firewall, adblockers, etc). Personally I see this as having way more longevity, reliability and simplicity than fixing/changing the languages/technologies across all the browsers, getting everyone to use the new products, educating developers, etc, etc.

]]> By: Chess http://ajaxian.com/archives/making-javascript-safe-with-google-caja/comment-page-1#comment-257097 Chess Fri, 12 Oct 2007 20:21:33 +0000 http://ajaxian.com/archives/making-javascript-safe-with-google-caja#comment-257097 I agree, ripping off the entire content of someone's article isn't satisfied by a courtesy link to it. Bad move I agree, ripping off the entire content of someone’s article isn’t satisfied by a courtesy link to it. Bad move

]]> By: Justin Meyer http://ajaxian.com/archives/making-javascript-safe-with-google-caja/comment-page-1#comment-257088 Justin Meyer Fri, 12 Oct 2007 18:42:12 +0000 http://ajaxian.com/archives/making-javascript-safe-with-google-caja#comment-257088 This would make it much easier for mashups to run untrusted scripts, but I think this really needs to happen in the browser. Of course, due to all the browser inconsistencies of the 90's, I can understand why people are afraid of that. But there is no substitute for correctness. Hopefully, the big boys of the internet (Google / Yahoo) are putting pressure on the browser vendors to make these changes. But, what's the motivation (ie $$) to improve browsers anymore? This would make it much easier for mashups to run untrusted scripts, but I think this really needs to happen in the browser.

Of course, due to all the browser inconsistencies of the 90′s, I can understand why people are afraid of that. But there is no substitute for correctness.

Hopefully, the big boys of the internet (Google / Yahoo) are putting pressure on the browser vendors to make these changes. But, what’s the motivation (ie $$) to improve browsers anymore?

]]> By: Mark Holton http://ajaxian.com/archives/making-javascript-safe-with-google-caja/comment-page-1#comment-257087 Mark Holton Fri, 12 Oct 2007 18:40:47 +0000 http://ajaxian.com/archives/making-javascript-safe-with-google-caja#comment-257087 ...I love Dion's 'teaser' quote... it's the entire Crockford article copied and pasted ;) Great info though, as always! Thanks, guys. …I love Dion’s ‘teaser’ quote… it’s the entire Crockford article copied and pasted ;)
Great info though, as always! Thanks, guys.

]]> By: Jonathan Bond-Caron http://ajaxian.com/archives/making-javascript-safe-with-google-caja/comment-page-1#comment-257079 Jonathan Bond-Caron Fri, 12 Oct 2007 17:18:13 +0000 http://ajaxian.com/archives/making-javascript-safe-with-google-caja#comment-257079 Looks official (// Copyright (C) 2007 Google Inc.), research focused Doing this in javascript doesn't make any practical sense to me, but their research is amazing: http://google-caja.googlecode.com/files/caja-spec-2007-10-11.pdf We need to fix the browser that for sure. Would be nice to see collaboration, there's a new effort at OpenAjax to propose changes to browser vendors: http://www.openajax.org/member/wiki/Runtime Looks official (// Copyright (C) 2007 Google Inc.), research focused

Doing this in javascript doesn’t make any practical sense to me, but their research is amazing:
http://google-caja.googlecode.com/files/caja-spec-2007-10-11.pdf

We need to fix the browser that for sure. Would be nice to see collaboration, there’s a new effort at OpenAjax to propose changes to browser vendors:

http://www.openajax.org/member/wiki/Runtime

]]> By: Uriel Katz http://ajaxian.com/archives/making-javascript-safe-with-google-caja/comment-page-1#comment-257076 Uriel Katz Fri, 12 Oct 2007 16:51:52 +0000 http://ajaxian.com/archives/making-javascript-safe-with-google-caja#comment-257076 is it a official google project? is it a official google project?

]]>