google-caja

同样是沙盒技术，还需要下载代码研究研究。

 

A source-to-source translator for securing Javascript-based web content

 

http://code.google.com/p/google-caja/

 

还可以参考这位仁兄的文章：http://mikewest.org/2008/12/some-thoughts-regarding-caja

 

The after is from：http://developer.yahoo.com/yap/guide/caja-support.html#what-is-caja

 

 

HOW DOES CAJA WORK?

Caja has two main parts:

• server-side translator
• client-side runtime support

The Server-Side Translator

The Caja translator rewrites arbitrary HTML and JavaScript into safe HTML and JavaScript, using white-list security principles, by

• Removing anything it doesn't understand
• Removing HTML and CSS that isn't on a white-list
• Modifying CSS rules, limiting them to a sandbox <div>
• Transforming JavaScript into forms known to be safe

The JavaScript transformation is the complicated part. It's basically a form of virtualization:

• Replaces references to real global variables with references to per-sandbox globals
• Rewrites references to this to prevent access to the real global scope
• Replaces most JavaScript code with semantically similar code that has runtime checks for security
• Rejects some JavaScript code early, such as with(obj){...}.

Here's an example transformation. This JavaScript source code:

view plain print ?

1. size = 3;  
2. function arf(geo, out) {  
3.     var s4 = geo.compute(4 * size);  
4.     var s5 = geo.compute(5 * size);  
5.     out.value = (s4+s5)/2;  
6.     return this;  
7. };  

is cajoled into something like this:

view plain print ?

1. $v.so('arf', (function () {  
2.     function arf$_caller($dis, geo, out) {  
3.         var s4 = $v.cm(geo, 'compute', [ 4 * $v.ro('size') ]);  
4.         var s5 = $v.cm(geo, 'compute', [ 5 * $v.ro('size') ]);  
5.         $v.s(out, 'value', (s4+s5)/2);  
6.         return $dis;  
7.     }  
8.     ___.markFuncOnly(arf$_caller, 'arf$_caller');  
9.     return $v.dis(___.primFreeze(arf$_caller), 'arf');  
10. })());  
11. $v.so('size', 3);