Labs/Bespin/DesignDocs/Security

There are lots of security topics, but for now this page will focus on the security of running external code in Bespin (e.g. for Bespin plugins).

After having chatted with the Caja folks, we think there may be a few ways in which we can use Caja:

• Cajole all external code before it is run (on the fly at first, maybe batch later)
  • BespinSettings/config.js
  • BespinSettings/plugins/*
  • BespinSettings/themes/*.css

• Use the Cajoling process to restrict the plugin API
  • Right now, once you get a hook into the plugin process, you can change anything that you want to.
  • Instead, create a "public API" that is safe, and helps us not get into the XUL issue with addons.

• eval command
  • With the eval command you can do whatever you want. Instead, can we make this an "eval in the cajole context"

• Questions:
  • How do you configure Caja to do this all on the fly?
  • We need to measure how this affects performance. How long does it take to cajole js files as they come down from XHR?
  • Do we need to cajole our API? If so how deep do we go, or do we go and tame the file?
  • Think about the affects of Bespin running on bespin.mozilla.com and the editor component (e.g. once you load the component, how do you make sure that no code can break out of it).