W3C home > Mailing lists > Public > www-tag@w3.org > October 2009

Fwd: [e-lang] Caja gadgets on Yahoo! home page!!

From: Jonathan Rees <jar@creativecommons.org>
Date: Tue, 13 Oct 2009 08:32:06 -0400
Message-ID: <760bcb2a0910130532m58d6f3a4j9f4da52106766655@mail.gmail.com>
To: www-tag@w3.org
The following is FYI a propos our discussions this spring about access
control and object capabilities.

-Jonathan

---------- Forwarded message ----------
From: Mark Miller <erights@gmail.com>
Date: Mon, Oct 12, 2009 at 8:08 PM
Subject: [e-lang] Caja gadgets on Yahoo! home page!!
To: General discussions concerning capability systems
<cap-talk@mail.eros-os.org>, Discussion of E and other capability
languages <e-lang@mail.eros-os.org>, Google Caja Discuss
<google-caja-discuss@googlegroups.com>

Caja (and thus object-capabilities) are now protecting one of the
world's top three web pages, the Yahoo! home page.

http://developer.yahoo.com/yap/guide/caja-support.html
http://www.wait-till-i.com/2009/10/11/introduction-to-yahoo-open-applications/

The other two top web pages are the Google search page and the
Facebook page <http://www.alexa.com/topsites>. The Google search page
has no need for isolation. The primary means of isolation on the
Facebook page is also Javascript-to-Javascript rewriting (their FBJS),
which is also an ocap-oriented approach in most ways. AFAICT, it is
not until you get to site #11 that you find a site needing isolation
within a page and using iframes and the same origin policy (SOP) as
the primary means of providing it. (Note that iframes/SOP is still used
as a defense-in-depth backstop for Caja on the Yahoo! home page,
just in case. And Facebook does make some use of iframes as well.)

It seems that within pages served at huge scale, ocap-oriented
JS-to-JS rewriting is now the primary means of isolation, having
overtaken and surpassed iframes and SOP. While it is way too early to
declare victory, it is not too early to applaud Yahoo! for their
tremendous progress contributing to a safer web.

--
Text by me above is hereby placed in the public domain

  Cheers,
  --MarkM
_______________________________________________
e-lang mailing list
e-lang@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/e-lang
Received on Tuesday, 13 October 2009 12:32:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:17 GMT