[+google-caja-discuss] On Wed, Jul 11, 2012 at 11:24 AM, Kevin O <[email protected]> wrote:
> Thanks for the suggestion. Caja does seem like it's pretty robust but > maybe more than I need. Plus, I would have to call out to a service every > time I compile or re-implement the whole thing in node to use it. Neither > is really an option, unfortunately. > > On Wednesday, 11 July 2012 13:17:23 UTC-4, Marcel wrote: >> >> Look at Google Caja, this does exactly what you describe. It's a very >> complicated problem. > > Caja as a whole secures JS, html, css, and the browser/dom API. On Node, the only relevant component is the securing of JS. Caja has two ways to secure JS. * For pre-ES5 systems, Caja uses a server-side translator to translate from the secure subset of ES5 to ES3. This is the "very complicated" that Marcel refers to. * For ES5 compliant systems, Caja uses a simple client-side translation-free system, the SES (Secure EcmaScript) library[1], to enforce that further code in that evaled in that context is limited to the object-capability subset of ES5. [1] http://es-lab.googlecode.com/svn/trunk/src/ses/initSES-minified.js sources at http://code.google.com/p/es-lab/source/browse/trunk/src/ses/ and http://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/ -- Cheers, --MarkM -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
