Caja project - Misplaced Pages

Google project for sanitizing third party HTML, CSS and JavaScript

Caja (pronounced /ˈkɑːhɑː/ KAH-hah) was a Google project for sanitizing third party HTML, CSS and JavaScript. On January 31, 2021, Google archived the project due to known vulnerabilities and lack of maintenance to keep up with the latest web security research, recommending instead the Closure toolkit.

The Caja project was led by Jasvir Nagra with the JavaScript portion designed by Google research scientist Mark S. Miller in 2008 as a JavaScript implementation for "virtual iframes" based on the principles of object-capabilities. It would take JavaScript (technically, ECMAScript 5 strict mode code), HTML, and CSS input and rewrite it into a safe subset of HTML and CSS, plus a single JavaScript function with no free variables. That means the only way such a function could modify an object, was if it was given a reference to the object by the host page. Instead of giving direct references to DOM objects, the host page typically gives references to wrappers that sanitize HTML, proxy URLs, and prevent redirecting the page; this allowed Caja to prevent certain phishing and cross-site scripting attacks, and prevent downloading malware. Also, since all rewritten programs ran in the same frame, the host page could allow one program to export an object reference to another program; then inter-frame communication was simply method invocation.

The word "caja" is Spanish for "box" or "safe" (as in a bank), the idea being that Caja could safely contain JavaScript programs as well as being a capabilities-based JavaScript.

Caja was used by Google in its Google Apps Script products. In 2008 MySpace and Yahoo! had both deployed a very early version of Caja.

References

Mark, Miller. "Caja discussion on the Caplet Group". . . Archived from the original on 17 May 2008.
"Introduction - Caja". Google Developers. Archived from the original on 22 January 2021.
Miller, Mark S.; Samuel, M; Laurie, B; Awad, I; Stay, M (7 June 2008). "Safe active content in sanitized JavaScript". Google Scholar.
Synodinos, Dio (25 February 2011). "ECMAScript 5, Caja and Retrofitting Security, with Mark S. Miller". InfoQ.
"Html Service: Caja Sanitization". Google Developers. Archived from the original on 26 August 2013.
"MySpace: Caja JavaScript scrubbing ready for prime time". 4 February 2008. Archived from the original on 1 October 2008.
"Web 2.0 Investors: Pay Attention To Caja". Tim Oren's Due Diligence. 11 April 2008.
Pullara, Sam (28 October 2008). "OpenSocial API Blog: Launched: Yahoo!'s First Implementation of OpenSocial Support". OpenSocial. Archived from the original on 16 December 2008.

External links

Caja project home page
Caja project source code
Caja playground
Caja draft specification: "Safe active content in sanitized JavaScript", Mark S. Miller, Mike Samuel, Ben Laurie, Ihab Awad, Mike Stay
Yahoo!/Google Caja Javascript Sandbox

v t e Object-capability security
Concepts	Principle of least privilege (PoLP) Confused deputy problem Ambient authority File descriptor C-list Object-capability model Capability-based security Capability-based addressing Zooko's triangle Petnames
Operating systems, kernels	Capsicum Fuchsia Genode GNOSIS → KeyKOS → EROS → CapROS Hydra iMAX 432 Midori NLTSS seL4 HarmonyOS (HarmonyOS NEXT) Phantom OS
Programming languages	Cajita E Joe-E Joule
File systems	Tahoe-LAFS
Specialised hardware	BiiN Cambridge CAP Flex IBM System/38 Intel iAPX 432 Plessey System 250

ECMAScript

Dialects

Engines
(comparison)

Carakan
Futhark
InScript
JavaScriptCore
JScript
KJS
Linear B
QtScript
Rhino
SpiderMonkey
- TraceMonkey
- JägerMonkey
Tamarin
V8
ChakraCore
- Chakra
JScript .NET
Nashorn

Frameworks

Client-side	Dojo Echo Ext JS Google Web Toolkit jQuery Lively Kernel midori MochiKit MooTools Prototype Pyjs qooxdoo SproutCore Spry Wakanda Framework
Server-side	Node.js Deno Bun Jaxer AppJet WakandaDB
Multiple	Cappuccino
Libraries	Backbone.js SWFObject Underscore.js

People

Other

Lists: JavaScript libraries; Ajax frameworks
Comparisons: JavaScript frameworks; server-side JavaScript

Google

a subsidiary of Alphabet

Company

Divisions

Subsidiaries

Active

Defunct

Programs

Events

Infrastructure

111 Eighth Avenue
Android lawn statues
Androidland
Barges
Binoculars Building
Central Saint Giles
Chelsea Market
Chrome Zone
Data centers
GeoEye-1
Googleplex
Ivanpah Solar Power Facility
James R. Thompson Center
King's Cross
Mayfield Mall
Pier 57
Sidewalk Toronto
St. John's Terminal
Submarine cables
- Dunant
- Grace Hopper
- Unity
WiFi
YouTube Space
YouTube Theater

People

Current	Krishna Bharat Vint Cerf Jeff Dean John Doerr Sanjay Ghemawat Al Gore John L. Hennessy Urs Hölzle Salar Kamangar Ray Kurzweil Ann Mather Alan Mulally Rick Osterloh Sundar Pichai (CEO) Ruth Porat (CFO) Rajen Sheth Hal Varian Neal Mohan
Former	Andy Bechtolsheim Sergey Brin (co-founder) David Cheriton Matt Cutts David Drummond Alan Eustace Timnit Gebru Omid Kordestani Paul Otellini Larry Page (co-founder) Patrick Pichette Eric Schmidt Ram Shriram Amit Singhal Shirley M. Tilghman Rachel Whetstone Susan Wojcicki

Criticism

General	Censorship DeGoogle FairSearch "Google's Ideological Echo Chamber" No Tech for Apartheid Privacy concerns Street View YouTube Worker organization Alphabet Workers Union YouTube copyright issues
Incidents	Backdoor advertisement controversy Blocking of YouTube videos in Germany Data breach Elsagate Fantastic Adventures scandal Kohistan video case Reactions to Innocence of Muslims San Francisco tech bus protests Services outages Slovenian government incident Walkouts YouTube headquarters shooting

Other

Development

Software

A–C	Accelerated Linear Algebra AMP Actions on Google ALTS American Fuzzy Lop Android Cloud to Device Messaging Android Debug Bridge Android NDK Android Runtime Android SDK Android Studio Angular AngularJS Apache Beam APIs App Engine App Inventor App Maker App Runtime for Chrome AppJet Apps Script AppSheet ARCore Base Bazel Bigtable BigQuery Bionic Blockly Borg Caja Cameyo Chart API Charts Chrome Enterprise Premium Chrome Frame Chromium Blink Closure Tools Cloud Connect Cloud Dataflow Cloud Datastore Cloud Messaging Cloud Shell Cloud Storage Code Search Compute Engine Cpplint
D–N	Dalvik Data Protocol Dialogflow Exposure Notification Fast Pair Fastboot Federated Learning of Cohorts File System Firebase Firebase Cloud Messaging FlatBuffers Flutter Freebase Gadgets Ganeti Gears Gerrit GLOP gRPC Gson Guava Guetzli Guice gVisor GYP JAX Jetpack Compose Keyhole Markup Language Kubernetes Kythe LevelDB Lighthouse Looker Studio lmctfy MapReduce Mashup Editor Matter Mobile Services Namebench Native Client Neatx Neural Machine Translation Nomulus
O–Z	Open Location Code OpenRefine OpenSocial Optimize OR-Tools Pack PageSpeed Piper Plugin for Eclipse Polymer Programmable Search Engine Project IDX Project Shield Public DNS reCAPTCHA RenderScript SafetyNet SageTV Schema.org Search Console Shell Sitemaps Skia Graphics Engine Spanner Sputnik Stackdriver Swiffy Tango TensorFlow Tesseract Test Translator Toolkit Urchin UTM parameters V8 VirusTotal VisBug Wave Federation Protocol Weave Web Accelerator Web Designer Web Server Web Toolkit Webdriver Torso WebRTC

Operating systems

Android
- Cupcake
- Donut
- Eclair
- Froyo
- Gingerbread
- Honeycomb
- Ice Cream Sandwich
- Jelly Bean
- KitKat
- Lollipop
- Marshmallow
- Nougat
- Oreo
- Pie
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- version history
- smartphones
Android Automotive
Android Go
- devices
Android Things
Android TV
- devices
Android XR
ChromeOS
ChromiumOS
Fuchsia
Glass OS
gLinux
Goobuntu
TV
Wear OS

Language models

Neural networks

Computer programs

Formats and codecs

Programming languages

Search algorithms

Domain names

Typefaces

Products

A	Aardvark Account Dashboard Takeout Ad Manager AdMob Ads AdSense Affiliate Network Alerts Allo Analytics Android Auto Android Beam Answers Apture Arts & Culture Assistant Attribution Authenticator
B	BebaPay BeatThatQuote.com Blog Search Blogger Body Bookmarks Books Ngram Viewer Browser Sync Building Maker Bump BumpTop Buzz
C	Calendar Cast Catalogs Chat Checkout Chrome Chrome Apps Chrome Experiments Chrome Remote Desktop Chrome Web Store Classroom Cloud Print Cloud Search Contacts Contributor Crowdsource Currents (social app) Currents (news app)
D	Data Commons Dataset Search Desktop Dictionary Digital Wellbeing Dinosaur Game Directory Docs Docs Editors Domains Drawings Drive Duo
E	Earth Etherpad Expeditions Express
F	Family Link Fast Flip FeedBurner fflick Fi Wireless Finance Files Find My Device Fit Flights Flu Trends Fonts Forms Friend Connect Fusion Tables
G	Gboard Gemini Gesture Search Gizmo5 Google+ Gmail Goggles GOOG-411 Grasshopper Groups
H	Hangouts Helpouts
I	iGoogle Images Image Labeler Image Swirl Inbox by Gmail Input Tools Japanese Input Pinyin Insights for Search
J	Jaiku Jamboard
K	Kaggle Keep Knol
L	Labs Latitude Lens Like.com Live Transcribe Lively
M	Map Maker Maps Maps Navigation Marketing Platform Meet Messages Moderator My Tracks
N	Nearby Share News News & Weather News Archive Notebook NotebookLM Now
O	Offers One One Pass Opinion Rewards Orkut Oyster
P	Panoramio PaperofRecord.com Patents Page Creator Pay (mobile app) Pay (payment method) Pay Send People Cards Person Finder Personalized Search Photomath Photos Picasa Picasa Web Albums Picnik Pixel Camera Play Play Books Play Games Play Music Play Newsstand Play Pass Play Services Podcasts Poly Postini PostRank Primer Project Starline Public Alerts Public Data Explorer
Q	Question Hub Questions and Answers Quick, Draw! Quick Search Box Quick Share Quickoffice
R	Read Along Reader Reply
S	Safe Browsing SageTV Santa Tracker Schemer Scholar Search Knowledge Graph SafeSearch Searchwiki Sheets Shoploop Shopping Sidewiki Sites Slides Snapseed Socratic Softcard Songza Sound Amplifier Spaces Sparrow (chatbot) Sparrow (email client) Speech Recognition & Synthesis Squared Stadia Station Store Street View Surveys Sync
T	Tables Talk TalkBack Tasks Tenor Tez Tilt Brush Toolbar Toontastic 3D Translate Travel Trendalyzer Trends TV
U	URL Shortener
V	Video Vids Voice Voice Access Voice Search
W	Wallet Wave Waze WDYL Web Light Where Is My Train Widevine Word Lens Workspace Workspace Marketplace
Y	YouTube YouTube Kids YouTube Music YouTube Premium YouTube Shorts YouTube Studio YouTube TV YouTube VR

Hardware

Pixel

Smartphones	Pixel (2016) Pixel 2 (2017) Pixel 3 (2018) Pixel 3a (2019) Pixel 4 (2019) Pixel 4a (2020) Pixel 5 (2020) Pixel 5a (2021) Pixel 6 (2021) Pixel 6a (2022) Pixel 7 (2022) Pixel 7a (2023) Pixel Fold (2023) Pixel 8 (2023) Pixel 8a (2024) Pixel 9 (2024) Pixel 9 Pro Fold (2024)
Smartwatches	Pixel Watch (2022) Pixel Watch 2 (2023) Pixel Watch 3 (2024)
Tablets	Pixel C (2015) Pixel Slate (2018) Pixel Tablet (2023)
Laptops	Chromebook Pixel (2013–2015) Pixelbook (2017) Pixelbook Go (2019)
Other	Pixel Buds (2017–present)

Nexus

Smartphones	Nexus One (2010) Nexus S (2010) Galaxy Nexus (2011) Nexus 4 (2012) Nexus 5 (2013) Nexus 6 (2014) Nexus 5X (2015) Nexus 6P (2015)
Tablets	Nexus 7 (2012) Nexus 10 (2012) Nexus 7 (2013) Nexus 9 (2014)
Other	Nexus Q (2012) Nexus Player (2014)

Other

Android Dev Phone
Android One
Cardboard
Chromebit
Chromebook
Chromebox
Chromecast
Clips
Daydream
Fitbit
Glass
Liftware
Liquid Galaxy
Nest
- smart speakers
- Thermostat
- Wifi
Play Edition
Project Ara
OnHub
Pixel Visual Core
Project Iris
Search Appliance
Sycamore processor
Tensor
Tensor Processing Unit
Titan Security Key

v t e Litigation
Advertising	Feldman v. Google, Inc. (2007) Rescuecom Corp. v. Google Inc. (2009) Goddard v. Google, Inc. (2009) Rosetta Stone Ltd. v. Google, Inc. (2012) Google, Inc. v. American Blind & Wallpaper Factory, Inc. (2017) Jedi Blue
Antitrust	European Union (2010–present) United States v. Adobe Systems, Inc., Apple Inc., Google Inc., Intel Corporation, Intuit, Inc., and Pixar (2011) Umar Javeed, Sukarma Thapar, Aaqib Javeed vs. Google LLC and Ors. (2019) United States v. Google LLC (2020) United States v. Google LLC (2023)
Intellectual property	Perfect 10, Inc. v. Amazon.com, Inc. (2007) Viacom International Inc. v. YouTube, Inc. (2010) Lenz v. Universal Music Corp.(2015) Authors Guild, Inc. v. Google, Inc. (2015) Field v. Google, Inc. (2016) Google LLC v. Oracle America, Inc. (2021) Smartphone patent wars
Privacy	Rocky Mountain Bank v. Google, Inc. (2009) Hibnick v. Google, Inc. (2010) United States v. Google Inc. (2012) Judgement of the German Federal Court of Justice on Google's autocomplete function (2013) Joffe v. Google, Inc. (2013) Mosley v SARL Google (2013) Google Spain v AEPD and Mario Costeja González (2014) Frank v. Gaos (2019)
Other	Garcia v. Google, Inc. (2015) Google LLC v Defteros (2020) Epic Games v. Google (2021) Gonzalez v. Google LLC (2022)

Concepts

Products

Android	Booting process Custom distributions Features Recovery mode Software development
Street View coverage	Africa Antarctica Asia Israel Europe North America Canada United States Oceania South America Argentina Chile Colombia
YouTube	Copyright strike Education Features Moderation Most-disliked videos Most-liked videos Most-subscribed channels Most-viewed channels Most-viewed videos Arabic music videos French music videos Indian videos Pakistani videos Official channel Social impact Suspensions YouTube Premium original programming
Other	Gmail interface Maps pin Most downloaded Google Play applications Stadia games

Documentaries

Books

Google Hacks
The Google Story
Google Volume One
Googled: The End of the World as We Know It
How Google Works
I'm Feeling Lucky
In the Plex
The Google Book
The MANIAC

Popular culture

Google Feud
Google Me (film)
"Google Me" (Kim Zolciak song)
"Google Me" (Teyana Taylor song)
Is Google Making Us Stupid?
Proceratium google
Matt Nathanson: Live at Google
The Billion Dollar Code
The Internship
Where on Google Earth is Carmen Sandiego?

Other

Italics denote discontinued products.

Categories:

See also

References

External links