We're looking for a way to secure third party code within our web pages. Someone suggested we use Caja. I looked into that, but the information about it is quite sparse. Before I deep dive into it, I would first like to know:
Can Caja handle embedded HTML like Google Map's, which effectively acts as a bootstrap, and loads all the active HTML and JavaScript when run by the browser?
Is Caja mature enough to be used in a production environment, or is it still at the concept stage?
Thanks, Eran
You should take a look at their issues list. The list looks healthy in the sense that its alive, and active, so that is one point in favor. But you should look and see if any of these issues apply to your needs, if not then you're probably fine, if the answer is yes you need to decide if you're willing to wait, or contribute, or better off looking for something new.
Personally it looks ok, but not sure how far you want to take it
Caja is being actively used in production by a number of projects including Yahoo Applications Portal.
From http://developer.yahoo.com/yap/guide/caja-support.html
The cajoled script is then run within a security sandbox created in your browser. This provides a way to safely include arbitrary third-party content on any Web page.
In principle, Caja should be transparent. Most JavaScript behaves the same whether it's run directly or cajoled. However, since Caja is currently evolving and incomplete, there are some noticeable differences.