Caja project

Google project for sanitizing third party HTML, CSS and JavaScript

Caja (pronounced /ˈkɑːhɑː/ KAH-hah)^[1] was a Google project for sanitizing third party HTML, CSS and JavaScript. On January 31, 2021, Google archived the project due to known vulnerabilities and lack of maintenance to keep up with the latest web security research, recommending instead the Closure toolkit.^[2]

The Caja project was led by Jasvir Nagra with the JavaScript portion designed by Google research scientist Mark S. Miller in 2008^[3]^[4] as a JavaScript implementation for "virtual iframes" based on the principles of object-capabilities. It would take JavaScript (technically, ECMAScript 5 strict mode code), HTML, and CSS input and rewrite it into a safe subset of HTML and CSS, plus a single JavaScript function with no free variables. That means the only way such a function could modify an object, was if it was given a reference to the object by the host page. Instead of giving direct references to DOM objects, the host page typically gives references to wrappers that sanitize HTML, proxy URLs, and prevent redirecting the page; this allowed Caja to prevent certain phishing and cross-site scripting attacks, and prevent downloading malware. Also, since all rewritten programs ran in the same frame, the host page could allow one program to export an object reference to another program; then inter-frame communication was simply method invocation.

The word "caja" is Spanish for "box" or "safe" (as in a bank), the idea being that Caja could safely contain JavaScript programs as well as being a capabilities-based JavaScript.

Caja was used by Google in its Google Apps Script^[5] products. In 2008 MySpace^[6]^[7] and Yahoo!^[8] had both deployed a very early version of Caja.

References

^ Mark, Miller. "Caja discussion on the Caplet Group". [cap-talk]. [e-lang]. Archived from the original on 17 May 2008.
^ "Introduction - Caja". Google Developers. Archived from the original on 22 January 2021.
^ Miller, Mark S.; Samuel, M; Laurie, B; Awad, I; Stay, M (7 June 2008). "Safe active content in sanitized JavaScript". Google Scholar.
^ Synodinos, Dio (25 February 2011). "ECMAScript 5, Caja and Retrofitting Security, with Mark S. Miller". InfoQ.
^ "Html Service: Caja Sanitization". Google Developers. Archived from the original on 26 August 2013.
^ "MySpace: Caja JavaScript scrubbing ready for prime time". 4 February 2008. Archived from the original on 1 October 2008.
^ "Web 2.0 Investors: Pay Attention To Caja". Tim Oren's Due Diligence. 11 April 2008.
^ Pullara, Sam (28 October 2008). "OpenSocial API Blog: Launched: Yahoo!'s First Implementation of OpenSocial Support". OpenSocial. Archived from the original on 16 December 2008.

External links

Look up caja#Spanish in Wiktionary, the free dictionary.

Caja project home page
Caja project source code
Caja playground
Caja draft specification: "Safe active content in sanitized JavaScript", Mark S. Miller, Mike Samuel, Ben Laurie, Ihab Awad, Mike Stay
Yahoo!/Google Caja Javascript Sandbox

Object-capability security

Concepts

Operating systems, kernels

Capsicum
Fuchsia
Genode
GNOSIS → KeyKOS → EROS → CapROS
Hydra
iMAX 432
Midori
NLTSS
seL4
HarmonyOS (HarmonyOS NEXT)
Phantom OS

Programming languages

Cajita
E
Joe-E
Joule

File systems

Tahoe-LAFS

Specialised hardware

ECMAScript

Dialects

Engines
(comparison)

Carakan
Futhark
InScript
JavaScriptCore
JScript
KJS
Linear B
QtScript
Rhino
SpiderMonkey
- TraceMonkey
- JägerMonkey
Tamarin
V8
ChakraCore
- Chakra
JScript .NET
Nashorn

Frameworks

Client-side	Dojo Echo Ext JS Google Web Toolkit jQuery Lively Kernel midori MochiKit MooTools Prototype Pyjs qooxdoo SproutCore Spry Wakanda Framework
Server-side	Node.js Deno Bun Jaxer AppJet WakandaDB
Multiple	Cappuccino
Libraries	Backbone.js SWFObject Underscore.js

People

Other

Lists: JavaScript libraries; Ajax frameworks
Comparisons: JavaScript frameworks; server-side JavaScript

Google

Company

Divisions

Ads
AI
- Brain
- DeepMind
Android
China
- Goojje
Chrome
Cloud
Glass
Google.org
Health
Maps
Pixel
Search
- Timeline
Sidewalk Labs
Sustainability
YouTube
- History
- "Me at the zoo"
- Social impact
- YouTuber

People

Current	Krishna Bharat Vint Cerf Jeff Dean John Doerr Sanjay Ghemawat Al Gore John L. Hennessy Urs Hölzle Salar Kamangar Ray Kurzweil Ann Mather Alan Mulally Rick Osterloh Sundar Pichai (CEO) Ruth Porat (CFO) Rajen Sheth Hal Varian Susan Wojcicki Neal Mohan
Former	Andy Bechtolsheim Sergey Brin (Founder) David Cheriton Matt Cutts David Drummond Alan Eustace Timnit Gebru Omid Kordestani Paul Otellini Larry Page (Founder) Patrick Pichette Eric Schmidt Ram Shriram Amit Singhal Shirley M. Tilghman Rachel Whetstone

Real estate

Design

Fonts
- Croscore
- Noto
- Product Sans
- Roboto
Logo
- Doodle
  - Doodle Champion Island Games
  - Magic Cat Academy
Material Design

Events

Android Developer Challenge Developer Day Developer Lab Code-in Code Jam Developer Day Developers Live Doodle4Google G-Day I/O Jigsaw Living Stories Lunar XPRIZE Mapathon Science Fair Summer of Code Talks at Google
YouTube	Awards CNN/YouTube presidential debates Comedy Week Live Music Awards Space Lab Symphony Orchestra

Projects and
initiatives

20% project
Area 120
- Reply
- Tables
ATAP
Business Groups
Computing University Initiative
Data Liberation Front
Data Transfer Project
Developer Expert
Digital Garage
Digital News Initiative
Digital Unlocked
Dragonfly
Founders' Award
Free Zone
Get Your Business Online
Google for Education
Google for Startups
Labs
Liquid Galaxy
Made with Code
Māori
ML FairnessNative Client
News Lab
Nightingale
OKR
PowerMeter
Privacy Sandbox
Quantum Artificial Intelligence Lab
RechargeIT
Shield
Silicon Initiative
Solve for X
Starline
Student Ambassador Program
Submarine communications cables
- Dunant
- Grace Hopper
Sunroof
Versus Debates
YouTube
- Creator Awards
- Next Lab and Audience Development Group
- Original Channel Initiative
Zero

Criticism

2018 data breach 2018 walkouts Alphabet Workers Union Censorship DeGoogle "Did Google Manipulate Search for Hillary?" Dragonfly FairSearch "Ideological Echo Chamber" memo Litigation Privacy concerns Street View San Francisco tech bus protests Services outages Smartphone patent wars Worker organization
YouTube	Back advertisement controversy Censorship Copyright issues Copyright strike Elsagate Fantastic Adventures scandal Headquarters shooting Kohistan video case Reactions to Innocence of Muslims Slovenian government incident

Development

Operating systems

Android
- Automotive
- Glass OS
- Go
- gLinux
- Goobuntu
- Things
- TV
- Wear OS
ChromeOS
- ChromiumOS
- Neverware
Fuchsia
TV

Libraries/
frameworks

Platforms

App Engine AppJet Apps Script Cloud Platform Anvato Firebase Cloud Messaging Crashlytics Global IP Solutions Internet Low Bitrate Codec Internet Speech Audio Codec Gridcentric, Inc. ITA Software Kubernetes LevelDB Neatx Project IDX SageTV
Apigee	Bigtable Bitium Chronicle VirusTotal Compute Engine Connect Dataflow Datastore Kaggle Looker Mandiant Messaging Orbitera Shell Stackdriver Storage

Tools

Search algorithms

Others

BERT BigQuery Chrome Experiments Flutter Gemini Googlebot Keyhole Markup Language LaMDA Open Location Code PaLM Programming languages Caja Carbon Dart Go Sawzall Transformer Viewdle Webdriver Torso Web Server
File formats	AAB APK AV1 On2 Technologies VP3 VP6 VP8 libvpx VP9 WebM WebP WOFF2

Products

Entertainment

Currents (news app) Green Throttle Games Owlchemy Labs Oyster PaperofRecord.com Podcasts Quick, Draw! Santa Tracker Songza Stadia games Typhoon Studios TV Vevo Video
Play	Books Games most downloaded apps Music Newsstand Pass Services
YouTube	BandPage BrandConnect Content ID Instant Kids Music Official channel Preferred Premium original programming YouTube Rewind RightsFlow Shorts Studio TV

Communication

Aardvark
Alerts
Answers
Base
BeatThatQuote.com
Blog Search
Books
- Ngram Viewer
Code Search
Data Commons
Dataset Search
Dictionary
Directory
Fast Flip
Flu Trends
Finance
Goggles
Google.by
Images
- Image Labeler
- Image Swirl
Kaltix
Knowledge Graph
- Freebase
- Metaweb
Like.com
News
- Archive
- Weather
Patents
People Cards
Personalized Search
Public Data Explorer
Questions and Answers
SafeSearch
Scholar
Searchwiki
Shopping
Catalogs
- Express
Squared
Tenor
Travel
- Flights
Trends
- Insights for Search
Voice Search
WDYL

Navigation

Earth
Endoxon
ImageAmerica
Maps
- Latitude
- Map Maker
- Navigation
- Pin
- Street View
  - Coverage
  - Trusted
Waze

Business
and finance

Ad Manager
AdMob
Ads
Adscape
AdSense
Attribution
BebaPay
Checkout
Contributor
DoubleClick
- Affiliate Network
- Invite Media
Marketing Platform
- Analytics
- Looker Studio
- Urchin
Pay (mobile app)
- Wallet
- Pay (payment method)
- Send
- Tez
PostRank
Primer
Softcard
Wildfire Interactive
Widevine

Organization
and productivity

Bookmarks Browser Sync Calendar Cloud Search Desktop Drive Etherpad fflick Files iGoogle Jamboard Notebook One Photos Quickoffice Quick Search Box Surveys Sync Tasks Toolbar
Docs Editors	Docs Drawings Forms Fusion Tables Keep Sheets Slides Sites
Publishing	Apture Blogger Pyra Labs Domains FeedBurner One Pass Page Creator Sites Web Designer

Education

Classroom
Grasshopper
Socratic
Photomath
Read Along
Workspace
- Marketplace

Others

Account Dashboard Takeout Android Auto Android Beam Arts & Culture Assistant Authenticator Body BufferBox Building Maker BumpTop Cast Cloud Print Crowdsource Digital Wellbeing Expeditions Family Link Find My Device Fit Google Fonts Gboard Gemini Gesture Search Impermium Knol Lively Live Transcribe MyTracks Nearby Share Now Offers Opinion Rewards Person Finder Poly Question Hub Quick Share Reader Safe Browsing Sidewiki SlickLogin Sound Amplifier Speech Services Station Store TalkBack Tilt Brush URL Shortener Voice Access Wavii Web Light WiFi
Chrome	Apps Chromium Dinosaur Game GreenBorder Remote Desktop Web Store V8
Images and photography	Camera Lens Snapseed Nik Software Panoramio Photos Picasa Web Albums Picnik

Hardware

Smartphones	Android Dev Phone Android One Nexus Nexus One S Galaxy Nexus 4 5 6 5X 6P Comparison Pixel Pixel 2 3 3a 4 4a 5 5a 6 6a 7 7a Fold 8 Comparison Play Edition Project Ara
Laptops and tablets	Chromebook Nexus 7 (2012) 7 (2013) 10 9 Comparison Pixel Chromebook Pixel Pixelbook Pixelbook Go C Slate Tablet
Wearables	Fitbit List of products Pixel Buds Pixel Watch Pixel Watch 2 Project Iris (unreleased) Virtual reality Cardboard Contact Lens Daydream Glass
Others	Chromebit Chromebox Clips Digital media players Chromecast Nexus Player Nexus Q Dropcam Liquid Galaxy Nest Smart Speakers Thermostat Wifi OnHub Pixel Visual Core Search Appliance Sycamore processor Tensor Tensor Processing Unit Titan Security Key

v t e Litigation
Advertising	Feldman v. Google, Inc. (2007) Rescuecom Corp. v. Google Inc. (2009) Goddard v. Google, Inc. (2009) Rosetta Stone Ltd. v. Google, Inc. (2012) Google, Inc. v. American Blind & Wallpaper Factory, Inc. (2017) Jedi Blue
Antitrust	European Union (2010–present) United States v. Adobe Systems, Inc., Apple Inc., Google Inc., Intel Corporation, Intuit, Inc., and Pixar (2011) Umar Javeed, Sukarma Thapar, Aaqib Javeed vs. Google LLC and Ors. (2019) United States v. Google LLC (2020) United States v. Google LLC (2023)
Intellectual property	Perfect 10, Inc. v. Amazon.com, Inc. and A9.com Inc. and Google Inc. (2007) Viacom International Inc. v. YouTube, Inc. (2010) Lenz v. Universal Music Corp.(2015) Authors Guild, Inc. v. Google, Inc. (2015) Field v. Google, Inc. (2016) Google LLC v. Oracle America, Inc. (2021) Smartphone patent wars
Privacy	Rocky Mountain Bank v. Google, Inc. (2009) Hibnick v. Google, Inc. (2010) United States v. Google Inc. (2012) Judgement of the German Federal Court of Justice on Google's autocomplete function (2013) Joffe v. Google, Inc. (2013) Mosley v SARL Google (2013) Google Spain v AEPD and Mario Costeja González (2014) Frank v. Gaos (2019)
Other	Garcia v. Google, Inc. (2015) Google LLC v Defteros (2020) Epic Games v. Google (2021) Gonzalez v. Google LLC (2022)
Category

Terms and phrases	"Don't be evil" Gayglers Google (verb) Google bombing 2004 U.S. presidential election Google effect Googlefight Google hacking Googleshare Google tax Googlewhack Googlization "Illegal flower tribute" Rooting Search engine manipulation effect Sitelink Site reliability engineering YouTube poop
Documentaries	AlphaGo Google: Behind the Screen Google Maps Road Trip Google and the World Brain The Creepy Line
Books	Google Hacks The Google Story Google Volume One Googled: The End of the World as We Know It How Google Works I'm Feeling Lucky In the Plex The Google Book The MANIAC
Popular culture	Google Feud Google Me (film) "Google Me" (Kim Zolciak song) "Google Me" (Teyana Taylor song) Is Google Making Us Stupid? Proceratium google Matt Nathanson: Live at Google The Billion Dollar Code The Internship Where on Google Earth is Carmen Sandiego?
Others	"Attention Is All You Need" elgooG g.co .google Pimp My Search Predictions of the end Relationship with Wikipedia Sensorvault Stanford Digital Library Project