Posted by Jasvir Nagra (Caja) and Shishir Birmiwal (orkut), Software EngineersWe are excited to announce the availability of
Caja (pronounced KA-hah) for orkut applications. Caja makes your gadget more secure by analyzing and rewriting it such that any exploits or vulnerabilities in your application are much less dangerous for your users. In addition, it also rewrites your gadget so it works across different browsers. For example, under Caja, it doesn't matter whether you use
addEventListener or
attachEvent — both just work!
Caja works with your existing HTML, CSS and JavaScript — there are no new tools or programming languages or APIs for you to learn. Instead, your gadget can use any object references and orkut APIs. In order to detect vulnerabilities, Caja restricts the JavaScript accepted in a gadget to an analyzable subset. The only constructs left out of this subset, like
with and
eval, also violate JavaScript best practices. In addition, Caja provides warnings on other aspects of the code such as missing semicolons, HTML attributes that aren't recognized by browsers, and statements that have no side-effect.
To enable Caja for your application, add the following feature entry to your app XML in
ModulePrefs:
<Require feature="caja"/>For example, here is a very simple gadget which makes some text bold and displays it:
<Module>
<ModulePrefs title="Example Gadget">
<Require feature="caja" />
</ModulePrefs>
<Content type="html"><![CDATA[
<script>
function inBold() {
var result = document.createElement('div');
result.innerHTML = "<b>" + document.getElementById("plainText").value + "</b>";
document.getElementById("boldText").appendChild(result);
}
</script>
<input id="plainText" type="text" size="50" value="hello world" />
<input type="button" value="Bold!" onclick="inBold();" />
<div id="boldText"></div>
]]></Content>
</Module>
Can you see the problem? Unfortunately, this gadget contains a very common XSS vulnerability. If a user enters text into the input box which contains a
<script> block, either deliberately or as a result of being tricked by an attacker, the script can take control of your gadget — for example, by redirecting them to a malware site. In this example, the gadget would be vulnerable because the gadget author assigns an unsanitized string to
innerHTML and thus possibly executes some scripts embedded in the string. However, because the gadget uses Caja, such errors in quoting and sanitization don't escalate into arbitrary script executions and your users will not be exploited.
Caja also supports Flash through a Flash bridge. Read more about the
FlashBridge or try out the
sample app.
We will be introducing a badge for gadgets that use Caja, so users can more easily find them. Caja gadgets will get a boost in the app-directory rankings. So get coding and building interesting apps!
Caja in orkut is a work in progress and we will continue to incorporate your feedback to improve it. Read the Caja
getting-started guide or visit the
Caja homepage for more information.