[tahoe-dev] How to use Caja to solve the same-origin policy hazard (hosting both webapps and untrusted content in Tahoe)
Kevin Reid
kpreid at switchb.org
Sat Jul 30 08:25:55 PDT 2011
On Jul 30, 2011, at 8:06, Zooko O'Whielacronx wrote:
> Your letter fills me with internal conflict! [...] On the other hand: Java.
>
> I hate Java, and I hate the JVM. And even if I could hold my nose and
> overcome my personal antipathy, the fact that caja requires Java to
> run the cajoler imposes a huge difficulty in terms of packaging and
> deployment for Tahoe-LAFS. I haven't thought through all the details
> yet, but would it would mean the end of the "quickstart" procedure
> [1]? [...]
The following is purely a hypothetical scenario; I make no promises about future work on the Caja project.
How would you feel if it instead required a JavaScript runtime on the gateway, *or* the user to have recent browser with JavaScript enabled?
We are working towards the goal of a pure client-side lightweight cajoler (in a particular mode of operation, on ES5-supporting browsers) which could be used for this purpose; it would require some amount of additional work to make it work server-side in a no-JS-in-the-browser.
One could look at Node.js as an example of software which bundles a JavaScript runtime with it. (I haven't looked at how nice installing Node.js from source is.)
Is there a JavaScript-to-Python compiler yet? :-)
--
Kevin Reid <http://switchb.org/kpreid/>
More information about the tahoe-dev
mailing list