10.24: news.addn/dev.caja/cap-based goes big-time:
to General discussions concerning capability systems ,
Discussion of E and other capability languages ,
Google Caja Discuss
date Mon, Oct 12, 2009 at 5:08 PM
subject [e-lang] Caja gadgets on Yahoo! home page!!
Caja (and thus object-capabilities) are now protecting one of theworld's top three web pages, the Yahoo! home page.The other two top web pages are the Google search page and theFacebook page. The Google search page has no need for isolation.The primary means of isolation on theFacebook page is also Javascript-to-Javascript rewriting (their FBJS),which is also an ocap-oriented approach in most ways. AFAICT, it isnot until you get to site #11 that you find a site needing isolationwithin a page and using iframes and the same origin policy (SOP) asthe primary means of providing it. (Note that iframes/SOP is still usedas a defense-in-depth backstop for Caja on the Yahoo! home page,just in case. And Facebook does make some use of iframes as well.)It seems that within pages served at huge scale, ocap-orientedJS-to-JS rewriting is now the primary means of isolation, havingovertaken and surpassed iframes and SOP. While it is way too early todeclare victory, it is not too early to applaud Yahoo! for theirtremendous progress contributing to a safer web.
No comments:
Post a Comment