Thursday, October 29th, 2009

YUI 2.8.0 now Caja compliant

Category: Library, Security

Caja is one of the most promising attempts to deliver secure web applications not prone to the attacks that normal JavaScript solutions sadly enough allow for. Let’s face it – the concept of global variables and the lack of sandboxed environments in addition to the fun that is browser security holes makes the web as it stands now quite hard to secure.

The problem with Caja is that it is quite troublesome to get your head around. Caja pre-processes web content (HTML, CSS and JavaScript) and converts it to something really unreadable but very secure. Practices that are insecure but have become quite common use rightfully are being flagged up as errors and fail to compile. This reminds me of Netscape 4.x rightfully not rendering tables that weren’t closed or Netscape 6 not supporting document.all any more – the response from developers was outrage as we are happy to write “convenient” code.

The way around a lot of browser bugs and implementation funnies (see John Resig’s talk the DOM is a mess for a deep-dive on that) is libraries. All the different JavaScript libraries – Dojo, MooTools, jQuery, YUI… first and foremost want to make our lives easier by making browsers behave. That’s cool and all, but the problem is that the libraries themselves are not Caja compliant.

As Yahoo’s new application platform YAP that allows you to run small apps in My Yahoo and the Yahoo homepage uses Caja there was an immediate need to make YUI work. The YUI team and the YAP engineers put their heads down and now announced that YUI has been cleaned up and made compatible.

As Caja doesn’t allow for script with a src inside a container this restriction has been lifted for the official YUI locations. Read more details about the changes to YUI on the YDN blog and here are the links to the docs and the forum where I’d encourage you to report any bugs you find:

This is a great step towards secure apps that can be built easily. There were a few earlier attempts to “fix” prototype to become Caja compliant and I would love that to come to fruition. Furthermore, a Caja compliant jQuery and Mootools would rock, too. The official whitelisted endpoint for inclusion could be the Google Ajax Libraries API.

Posted by Chris Heilmann at 11:48 am

2 rating from 61 votes


Comments feed TrackBack URI

There were a few earlier attempts to “fix” prototype to become Caja compliant and I would love that to come to fruition.

These earlier attempts gave birth to Valija. Full Caja-compliance is still a work in progress. Stay tuned.

Comment by tobielangel — October 29, 2009

Excellent and helpful

Comment by Aphrodisiac — January 22, 2010

Leave a comment

You must be logged in to post a comment.