As we announced in the last update to the former orkut Developer Blog last week, henceforth we’ll be posting all orkut developer updates to this blog.We think this is also a good opportunity to quickly introduce the newly-launched Developer page to y…
Posted by Prashant Tiwari, Developer Programs EngineerEffective today, we’re moving this blog to the Google Code blog, which many of you may already be familiar with as the home to announcements and updates from several other Google APIs. The code bl…
Posted by Prashant Tiwari, Developer Programs Engineer
Effective today, we’re moving this blog to the Google Code blog, which many of you may already be familiar with as the home to announcements and updates from several other Google APIs. The code blog enjoys a much wider audience and we believe this transition will help us reach out to a much larger number of developers, which will further help grow the community around orkut. This blog will still be available for reference to our older posts but all the new ones will go to the new blog.
Remember to update your bookmarks to googlecode.blogspot.com for all major updates to the orkut development platform, and follow us on Twitter and the orkut Developer Forum for all other community news, events and announcements.
Posted by Jasvir Nagra (Caja) and Shishir Birmiwal (orkut), Software EngineersWe are excited to announce the availability of Caja (pronounced KA-hah) for orkut applications. Caja makes your gadget more secure by analyzing and rewriting it such that any…
Posted by Jasvir Nagra (Caja) and Shishir Birmiwal (orkut), Software Engineers
We are excited to announce the availability of Caja (pronounced KA-hah) for orkut applications. Caja makes your gadget more secure by analyzing and rewriting it such that any exploits or vulnerabilities in your application are much less dangerous for your users. In addition, it also rewrites your gadget so it works across different browsers. For example, under Caja, it doesn’t matter whether you use addEventListener or attachEvent — both just work!
Caja works with your existing HTML, CSS and JavaScript — there are no new tools or programming languages or APIs for you to learn. Instead, your gadget can use any object references and orkut APIs. In order to detect vulnerabilities, Caja restricts the JavaScript accepted in a gadget to an analyzable subset. The only constructs left out of this subset, like with and eval, also violate JavaScript best practices. In addition, Caja provides warnings on other aspects of the code such as missing semicolons, HTML attributes that aren’t recognized by browsers, and statements that have no side-effect.
To enable Caja for your application, add the following feature entry to your app XML in ModulePrefs:
For example, here is a very simple gadget which makes some text bold and displays it:
]]>
Can you see the problem? Unfortunately, this gadget contains a very common XSS vulnerability. If a user enters text into the input box which contains a block, either deliberately or as a result of being tricked by an attacker, the script can take control of your gadget — for example, by redirecting them to a malware site. In this example, the gadget would be vulnerable because the gadget author assigns an unsanitized string to innerHTML and thus possibly executes some scripts embedded in the string. However, because the gadget uses Caja, such errors in quoting and sanitization don’t escalate into arbitrary script executions and your users will not be exploited.
Caja also supports Flash through a Flash bridge. Read more about the FlashBridge or try out the sample app.
We will be introducing a badge for gadgets that use Caja, so users can more easily find them. Caja gadgets will get a boost in the app-directory rankings. So get coding and building interesting apps!
Caja in orkut is a work in progress and we will continue to incorporate your feedback to improve it. Read the Caja getting-started guide or visit the Caja homepage for more information.