The final rush
I have been a bit absent again in the last couple of weeks; for a change, there is a good—or at least pleasant—reason for that. Last week I passed 2 exams at University, so now I have only one left; I’m finally getting closer to finishing my degree.
More decisive, today I completed the preliminary paperwork for my thesis. It’s a very interesting project, on a topic that interests me; it also has the potential for real-world, commercial application; and well, it’s just a good challenge
Caja is a Google project aiming to define a subset of JavaScript that is safe. That’s a big claim, especially when you take into consideration scenarios where you let your users upload their own content, JavaScript included, and you want to serve that code and run it with your content, without letting it wreak havoc on the rest of your scripts.
One way of addressing this is using a object-capability language, where you essentially restrict the language, and make every access go only via the public methods of your published classes; in that way, no unwanted side effect can happen, and you only have so many objects to protect. This requires far less changes to JavaScript than you would expect, thanks to its expressiveness and its brevity.
Caja approaches this by translating the input source in a kind of p-code, and interpreting this with a small JavaScript library. My project instead aims to implement the p-code support infrastructure directly into Mozilla SpiderMonkey, potentially making it available to the browser we all use and love.
That’s a big project and is going to be a lot of work, but with help from Marco Cremonini, my professor, and Ben Laurie, my tutor at Google, I trust I’ll get a lot done. For sure, the next three months are going to be an interesting ride.
Comments
6 Responses to “The final rush”
Leave a Reply
Wow, a *very* interesting project. I’ve been looking at Caja, and in my opinion it brings a master missing piece to the current web, by allowing “active” content to be aggregated in a trusted manner.
Indeed; also, since it leverages on tried and true concepts and it focuses on what is practical and usable, it has a good chance of having a very low entry cost, making it acceptable by a large audience.
And I don’t have to tell you that this is not only useful on the wider internet; applications that use JavaScript internally can benefit greatly from this approach :-)
Sure, and it can allow for interesting things in domains like business automation where the BPL XML languages are both convoluted because expressing programming language constructs in XML and limited because they’re not a real programming language.
The use of JS to express complex page transitions in Cocoon’s flowscript has proven to be incredibly efficient. When running in a Java environment though, the Rhino interpreter gives a lot of control on what scripts can and cannot do, so Caja might be less needed there.
Well, yes and no. The point is, JavaScript’s flexibility means you can for example defined new methods (or replace existing ones) on other objects / classes. I don’t think Rhino can protect you against that: if you can call a setter, you can replace it; there’s no way around that in JavaScript.
On the other hand, you are right: I am more interested in the client side.
cool!!! Of course, with these kinds of efforts, even if you graduate, we’ll still be pressuring you to actually complete the thing, for the Greater Good(tm) of the web :-)
Ah but that’s the nice thing, for once both Greater Good and hard currency point the same way :-)