Here at Google, I’m working on an open-source project called Caja. The name is Spanish for box or vault, and is pronounced “KA-hah”.
The general idea of Caja could be summed up as “virtual iFrames”. An iFrame is a little webpage stuck inside a bigger one, like a gadget in iGoogle or YAP. Web browsers use a security policy called the “same-domain policy”, which means that only a web page that came from Google’s servers should be allowed to cause changes to your Google-hosted data: you don’t want to allow the “pet turtle” gadget to delete all your email. So the way iGoogle protects your email is by putting the turtle gadget on a different domain, http://gmodules.com.
The same-domain policy does a good job of making it hard for gadgets to work together and a mediocre job of insulating mutually suspicious gadgets from each other; cross-site scripting (XSS) is a constant threat for any web site. Making sure you properly sanitize every use of user-supplied information is like trying to avoid getting a cold while surrounded by forty sniffling kindergarteners.
Also, even if you do manage to prevent XSS entirely, iFrames do nothing to prevent redirecting the page: it’s trivial for a gadget to tell your web browser to go to a page that looks like the Google login page, but really sends your password to the bad guys. All it has to do is include this line of code:
<script>window.top.location = “http://www.evil.com/phishing.html”;</script>
Caja addresses all these issues. On a gadget site like YAP, instead of sending your web browser a page with a bunch of iFrames, each of which causes your web browser to fetch a gadget, Yahoo’s server fetches the gadgets first and rewrites them with Caja, inserting code that looks at every operation the gadget tries to do. It also replaces the objects that code usually has access to, like window above, and replaces them with fake ones. The fake window object doesn’t have a working top.location property, so the gadget can’t redirect the page. The DOM objects sanitize strings passed to innerHTML and remove script blocks, so XSS is impossible. By letting two gadgets see the same variable, they can communicate with each other. Outgoing links are rewritten so that they pass through Yahoo’s proxy server, where the links can be checked in real time for malware.
With the lauch of My Yahoo! and Yahoo! Mail gadgets, we’ve got 275 million users. The best part is that we’re hardly mentioned anywhere: it’s so unobtrusive, that developers don’t even notice the restrictions. (But you can read about Caja on Yahoo’s site.) iGoogle’s sandbox also allows you to play with Caja today; it should go live next month, and we’re hoping to get Caja into several other Google properties as the year progresses.