Caja in Orkut and XSS vulnerabilities

[eduardorochabr]

I would like no know if Orkut OpenSocial implementation uses Caja.

Orkut suffered from XSS attacks some weeks ago, and the Orkut Team
disabled significant 3rd party application functionality because of
this.

Does these attacks invalidate the Caja goal of "allowing untrusted
code more power than is safe to give to code in iframes"?

[Mike Samuel]

2009/2/27 eduardorochabr <eduardo...@gmail.com>:

>
> I would like no know if Orkut OpenSocial implementation uses Caja.

It does not.

> Orkut suffered from XSS attacks some weeks ago, and the Orkut Team
> disabled significant 3rd party application functionality because of
> this.
>
> Does these attacks invalidate the Caja goal of "allowing untrusted
> code more power than is safe to give to code in iframes"?

No it does not.

[Mike Stay]

Precisely because the attacks would not have been possible had they
been using Caja!

--
Mike Stay - meta...@gmail.com
http://math.ucr.edu/~mike
http://reperiendi.wordpress.com

[eduardorochabr]

Thank you very much.

On 27 fev, 21:48, Mike Stay <metaw...@gmail.com> wrote:
> On Fri, Feb 27, 2009 at 4:34 PM, Mike Samuel <mikesam...@gmail.com> wrote:
>
> > 2009/2/27 eduardorochabr <eduardoroch...@gmail.com>:

>
> >> I would like no know if Orkut OpenSocial implementation uses Caja.
>
> > It does not.
>
> >> Orkut suffered from XSS attacks some weeks ago, and the Orkut Team
> >> disabled significant 3rd party application functionality because of
> >> this.
>
> >> Does these attacks invalidate the Caja goal of "allowing untrusted
> >> code more power than is safe to give to code in iframes"?
>
> > No it does not.
>
> Precisely because the attacks would not have been possible had they
> been using Caja!
>
> --

> Mike Stay - metaw...@gmail.comhttp://math.ucr.edu/~mikehttp://reperiendi.wordpress.com

[eduardorochabr]

Hey Googlers, do you know why Orkut isn't using it? Do you have
contact with them?

I can't help but think why Orkut suffered from such attack and yet
doesn't use this superb project, which comes from the very same
company.

Thank you for your feedback.

On 27 fev, 21:48, Mike Stay <metaw...@gmail.com> wrote:
> On Fri, Feb 27, 2009 at 4:34 PM, Mike Samuel <mikesam...@gmail.com> wrote:
>
> > 2009/2/27 eduardorochabr <eduardoroch...@gmail.com>:
>

> >> I would like no know if Orkut OpenSocial implementation uses Caja.
>
> > It does not.
>
> >> Orkut suffered from XSS attacks some weeks ago, and the Orkut Team
> >> disabled significant 3rd party application functionality because of
> >> this.
>
> >> Does these attacks invalidate the Caja goal of "allowing untrusted
> >> code more power than is safe to give to code in iframes"?
>
> > No it does not.
>
> Precisely because the attacks would not have been possible had they
> been using Caja!
>
> --

> Mike Stay - metaw...@gmail.comhttp://math.ucr.edu/~mikehttp://reperiendi.wordpress.com

[Mike Stay]

On Sat, Feb 28, 2009 at 3:08 PM, eduardorochabr
<eduardo...@gmail.com> wrote:
>
> Hey Googlers, do you know why Orkut isn't using it? Do you have
> contact with them?

Yes, but the details of why they aren't using it yet are confidential.

[eduardorochabr]

OK Mike, thank you very much for the feedback.

On 28 fev, 20:15, Mike Stay <metaw...@gmail.com> wrote:
> On Sat, Feb 28, 2009 at 3:08 PM, eduardorochabr
>

> <eduardoroch...@gmail.com> wrote:
>
> > Hey Googlers, do you know why Orkut isn't using it? Do you have
> > contact with them?
>
> Yes, but the details of why they aren't using it yet are confidential.
> --

> Mike Stay - metaw...@gmail.comhttp://math.ucr.edu/~mikehttp://reperiendi.wordpress.com