Caja (and thus object-capabilities) are now protecting one of the
world's top three web pages, the Yahoo! home page.
http://developer.yahoo.com/yap/guide/caja-support.htmlhttp://www.wait-till-i.com/2009/10/11/introduction-to-yahoo-open-applications/The other two top web pages are the Google search page and the
Facebook page <
http://www.alexa.com/topsites>. The Google search page
has no need for isolation. The primary means of isolation on the
Facebook page is also Javascript-to-Javascript rewriting (their FBJS),
which is also an ocap-oriented approach in most ways. AFAICT, it is
not until you get to site #11 that you find a site needing isolation
within a page and using iframes and the same origin policy (SOP) as
the primary means of providing it. (Note that iframes/SOP is still used
as a defense-in-depth backstop for Caja on the Yahoo! home page,
just in case. And Facebook does make some use of iframes as well.)
It seems that within pages served at huge scale, ocap-oriented
JS-to-JS rewriting is now the primary means of isolation, having
overtaken and surpassed iframes and SOP. While it is way too early to
declare victory, it is not too early to applaud Yahoo! for their
tremendous progress contributing to a safer web.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
_______________________________________________
e-lang mailing list
e-lang@...
http://www.eros-os.org/mailman/listinfo/e-lang
