Re: Web app security - Caja demo

On Thu, 2009-05-28 at 12:42 -0400, Jonathan Rees wrote:
> On Thu, May 28, 2009 at 12:02 PM, Dan Connolly <connolly@w3.org> wrote:
> > The "use strict" stuff in ES5 evidently
> > borrows from Caja and other secure javascript
> > projects.
> 
> Not a coincidence. The 4 or 5 projects doing things like this
> are using Ecma as their standardization venue.

Right; my point was that this Caja stuff isn't just
in the labs; it seems to be on a realistic path
to deployment... this is surprisingly good news to me;
recall that just 6 months ago I wrote...

"it seems an impossibly high bar to reach, given the worse-is-better
tendency in software deployment ...

after wrestling with the patchwork of javascript security policies in
browsers in the past few weeks, the capability approach in adsafe looks
simple and elegant by comparison. Is there any chance we can move the
state-of-the-art that far?"

 -- http://www.w3.org/QA/2008/12/web_applications_security_requ.html


-- 
Dan Connolly, W3C http://www.w3.org/People/Connolly/
gpg D3C2 887B 0F92 6005 C541  0875 0F91 96DE 6E52 C29E

Received on Thursday, 28 May 2009 16:51:51 UTC