[cap-talk] Caja discussion on the Caplet Group
Mark Miller
erights at gmail.com
Tue Oct 9 20:55:52 EDT 2007
---------- Forwarded message ----------
From: Mark S. Miller <erights at google.com>
Date: Oct 9, 2007 5:30 PM
Subject: Re: [caplet] ADsafe, Take 5
To: caplet at yahoogroups.com
On 10/9/07, Douglas Crockford <douglas at crockford.com> wrote:
> I have relaxed the rules on words. $ and leading _ are permitted. A
> trailing __ is forbidden.
>
> This change makes ADsafe a subset of another safe JavaScript subset.
As of today, I was able to tell Crock about this other safe Javascript
subset. And I can tell you folks as well. It's called "Caja". We will
be open sourcing it soon.
"Caja" is Spanish for "box", e.g., as in a strongbox for keeping money
in -- much stronger than a sandbox ;).
Caja defines a subset of Javascript both syntactically and
semantically. This subset of Javascript is an object-capability
language. The Caja translator rejects non-Caja input statically when
it can. But because of Javascript's dynamic nature, some of Caja's
restrictions cannot be imposed statically, so the Caja translator
translates the Javascript it accepts into Javascript with additional
runtime checks. To facilitate development, it is easy to write a Caja
program so it can run correctly whether it is run as a Caja program or
run directly as an untranslated Javascript program.
Crock and I went over some of Caja's draft design today. With this
adjustment to ADsafe's rules, it currently looks plausible that Caja
may indeed be a superset of ADsafe. In other words:
JSON < ADsafe < Caja < Ecmascript 3.
The methodology we're using -- defining enforced subsets of existing
large languages -- has also been used successfully to Java (Joe-E),
OCaml (Emily), Pict (Backwater) and others:
http://wiki.erights.org/wiki/Object-capability_languages
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the cap-talk
mailing list