

Google-Caja: source-to-source translator for securing Javascript-based content - alrex021
http://code.google.com/p/google-caja/

======
nose
Their list of typical attack vectors in ES3 is very eye opening:
<http://code.google.com/p/google-caja/wiki/AttackVectors>
[http://code.google.com/p/google-
caja/w/list?q=label:Attack-V...](http://code.google.com/p/google-
caja/w/list?q=label:Attack-Vector)

You can also easily play with the Valija and ES5/3 dialect here
<http://caja.appspot.com>

------
cies
This is so important for 'us', here on HN. Let me try to explain why:

Many here are building SaaS products, and with the SaaS landscape getting ever
more crowded we see a lot of SaaS integrations emerge. Have a look at
freshbooks for instance. Currently these integrations are usually implemented
'server-side': the server of one web app pulls data from another web app. If
we want to allow client-side integrations, that allows a JS plugin to be
loaded from another app, the we need to keep security in mind (as this is on
purpose cross-site-scripting). This Caja lib seems to provide proper measures
to allow these kind of integrations.

------
gcb
They use that widely in igoogle and orkut apps.

~~~
nose
It's opt-in for orkut app developers.

It's enabled by default, and enforced on yahoo.com/my.yahoo.com
<http://developer.yahoo.com/yap/homepage/>

