Can Caja still be used in production?

[Lukas Bombach]

Hi there, 

we can really make use of this project (or something similar) at welt.de one of Germany's biggest daily newspapers. I have been told on GitHub that, while no new features are being added, the project is being kept running. I am not quite sure what this implies. Our situation is that we have students writing widgets that might be shown on our front page and they should not break anything else on the page by, let's say, doing something like document.body.innerHTML = "";. Since we don't want to have iFrames over iFrames on our site, it seems the only way to deal with this is to check the code, supported by tools like Caja (?). So I am wondering if Caja is suitable for this and if it is still maintained in the way (and feature-complete) that i still can be used for a high-traffic website.

Thanks in advance

Lukas

[Kevin Reid]

On Mon, May 23, 2016 at 2:57 AM, 'Lukas Bombach' via Google Caja Discuss <google-ca...@googlegroups.com> wrote:

Hi there, 

we can really make use of this project (or something similar) at welt.de one of Germany's biggest daily newspapers. I have been told on GitHub that, while no new features are being added, the project is being kept running. I am not quite sure what this implies. Our situation is that we have students writing widgets that might be shown on our front page and they should not break anything else on the page by, let's say, doing something like document.body.innerHTML = "";. Since we don't want to have iFrames over iFrames on our site,

Why don't you want to use iframes?

In the cases where they can be used, iframes (with or without the sandbox attribute) are a much, much lighter-weight solution than Caja.

 

it seems the only way to deal with this is to check the code, supported by tools like Caja (?).

Caja does not “check” code. It runs arbitrary code in a restricted environment.

 

So I am wondering if Caja is suitable for this and if it is still maintained in the way (and feature-complete) that i still can be used for a high-traffic website.

It depends on what you want to do. If you want to run The Latest Hot New Web Thingies, like say a WebGL game, Caja won't work for you (both because WebGL, being a newer feature, is not supported, and because the performance cost is too high).

If you want more straightforward interactive HTML stuff, it'll likely be fine.

It's hard to say exactly what will work and what won't, because there are no “browser API levels” that we can point at to say Caja does or doesn't support them, only individual features.

[Lukas Bombach]

Ok this is very helpful, thank you very much.

The reason we don't want iFrames is performance and interactivity. Not only do they load slower (ok Caja does too, but we are still exploring and not knowing Caja very well), but the whole website seems to be less responsive. it seems to me (esp. on mobile and esp. if you have like 8 iFrames). Also, often our contents grow and shrink in size and we would need to have scripts that communicate between host and the iframe to resize it. Last but not least—sometimes we do want interaction between the iFrames contents and the host or even other iFrames, which would make things unpleasant.

[Kevin Reid]

On Tue, May 24, 2016 at 3:48 AM, 'Lukas Bombach' via Google Caja Discuss <google-ca...@googlegroups.com> wrote:

Ok this is very helpful, thank you very much.

The reason we don't want iFrames is performance and interactivity. Not only do they load slower (ok Caja does too, but we are still exploring and not knowing Caja very well),

Caja is inherently fairly heavyweight, so you may not get what you want here. Make sure you're calling caja.initialize() as soon as possible to get the async loading going.

 

but the whole website seems to be less responsive. it seems to me (esp. on mobile and esp. if you have like 8 iFrames).

I'm not familiar with the performance characteristics of iframes on mobile, but if so, yes, that sounds like a good reason to want non-iframe embedding like Caja.

 

Also, often our contents grow and shrink in size and we would need to have scripts that communicate between host and the iframe to resize it.

Ah yes, that awful mess.