MySpace: Caja JavaScript scrubbing ready for prime time

MySpace: Caja JavaScript scrubbing ready for prime time

Summary: MySpace is rolling out its development platform, but perhaps more notable is the social network site's use of Caja, a JavaScript scrubbing tool to make sure third party applications and content are safe. In addition, MySpace is implementing other security processes.

SHARE:

MySpace is rolling out its development platform, but perhaps more notable is the social network site's use of Caja, a JavaScript scrubbing tool to make sure third party applications and content are safe. In addition, MySpace is implementing other security processes.

Kyle Brinkman, vice president and general manager of the MySpace Developer Platform, said MySpace is likely to be the first large implementation of Caja--a technology developed by the social network and Google. The MySpace Developer Platform launched on Tuesday.

The general idea behind Caja, which will be included in Google's OpenSocial code, is to scrub JavaScript and prevent malware. The tools can't come soon enough. Third party social applications are a security disaster waiting to happen. Meanwhile, there has been little formal testing of these third party apps. Take vulnerable software, couple it with a social network and you have hacker paydirt. For instance, ActiveX controls have been a major security headache (MySpace doesn't support ActiveX).

Here's how Google describes Caja:

The computer industry has only one significant success enabling documents to carry active content safely: scripts in web pages. Normal users regularly browse untrusted sites with Javascript turned on. Modulo browser bugs and phishing, they mostly remain safe. But even though web apps build on this success, they fail to provide its power. Web apps generally remove scripts from third party content, reducing content to passive data. Examples include webmail, groups, blogs, chat, docs and spreadsheets, wikis, and more.

Were scripts in an object-capability language, web apps could provide active content safely, simply, and flexibly. Surprisingly, this is possible within existing web standards. Caja represents our discovery that a subset of Javascript is an object-capability language.

According to Brinkman, Caja is designed to "maximize the capability and minimize the exploit." Brinkman added that MySpace is among the first big deployments of Caja, which is designed to shut down a host of attack vectors. "Caja takes technology that was a computer science project and turns it into engineering project," said Brinkman. "The goal is to make JavaScript safer."

MySpace is hoping that security will be a big selling point for its third party applications. To that end, third party applications developed for MySpace will endure Caja and a "safety review process" before going live. These security processes are long overdue--especially if these third party Web 2.0 toys are ever going to become enterprise class.

Topics: Browser, Open Source, Security, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • the most intelligent news in a long time

    given it proves out. Gratis to those who try it and see.

    Thank you for reporting it.

    N.
    Narr vi
  • RE: MySpace: Caja JavaScript scrubbing ready for prime time

    If this happens, Myspace will see an influx of users flocking to the new "toys" and designs available... and the site won't look so crappy.
    Lacerz