caja

[Neo Anderson <ne...@googlemail.com>]

How to use caja in Shindig?

Can we use caja instead of iFrames?

If we use caja, features like dynamic-height, settitle, UserPref and tabs
will work or not?

Re: caja

[Peter Valchev <pv...@google.com>]

On Sat, Mar 1, 2008 at 2:18 PM, Kevin Brown <et...@google.com> wrote:
> caja is still a work in progress -- a lot of manual work is required to make
>  it work correctly with shindig. Specifically, you have to do the "taming"
>  work necessary for each of the APIs that gets exposed to gadgets. Cassie has
>  done work to make this work with opensocial-0.7 (she would know how complete
>  that is), but none of the other APIs have had said work done.
>
>  Taming is a fairly complicated subject, and it's going to take us a long
>  time to make it all happen. There are also some rather significant
>  limitations of caja today that are still being addressed (no tamed DOM api,
>  in particular no safe innerHTML). The caja developers are working hard to
>  make these things available to us, but that's a separate project from
>  shindig, and if you want to attempt to use it with shindig today, you'll
>  probably need to become familiar with the caja project itself. See
>  http://code.google.com/p/google-caja.

Actually just a minor point: there is both Domita (a basic tamed DOM
access API) in Caja today, as well as innerHTML sanitizer which is
working and has been through rounds of review. Of course like you
said, much of this is "in progress", but it should be fairly usable.

Re: caja

[Cassie <do...@apache.org>]

Neo -
In the sample container, caja is enabled. You simply need to include the
caja feature by depending on it, call:

opensocial.Container.get().enableCaja()
(code for this is in container.js)

And then cajole the gadget you wish to display. You can currently do this by
appending caja=1 to the end of the gadget rendering url.

the enableCaja method right now does all the taming needed for opensocial.
However, the taming for the gadgets.* apis and improved dom handling have
not been implemented in Shindig. I think the myspace dev might have a
working implementation of this though and so I am trying to get them to
contribute it back to Shindig.

As for your second question, you should not use caja without iframes yet.
The caja guys can speak best to this, but I do not believe all of the
security is in place for caja to be fully ready. Caja with iframes is good
though and eventually caja will be ready. (You will have to ask them for
timelines though)

I hope all that helps.

- Cassie



On Sat, Mar 1, 2008 at 11:18 PM, Kevin Brown <et...@google.com> wrote:

> caja is still a work in progress -- a lot of manual work is required to
> make
> it work correctly with shindig. Specifically, you have to do the "taming"
> work necessary for each of the APIs that gets exposed to gadgets. Cassie
> has
> done work to make this work with opensocial-0.7 (she would know how
> complete
> that is), but none of the other APIs have had said work done.
>
> Taming is a fairly complicated subject, and it's going to take us a long
> time to make it all happen. There are also some rather significant
> limitations of caja today that are still being addressed (no tamed DOM
> api,
> in particular no safe innerHTML). The caja developers are working hard to
> make these things available to us, but that's a separate project from
> shindig, and if you want to attempt to use it with shindig today, you'll
> probably need to become familiar with the caja project itself. See
> http://code.google.com/p/google-caja.
>
> On Fri, Feb 29, 2008 at 10:19 PM, Neo Anderson <
> neoanderson123@googlemail.com> wrote:
>
> > How to use caja in Shindig?
> >
> > Can we use caja instead of iFrames?
> >
> > If we use caja, features like dynamic-height, settitle, UserPref and
> tabs
> > will work or not?
> >
>
>
>
> --
> ~Kevin
>

Re: caja

[Kevin Brown <et...@google.com>]

caja is still a work in progress -- a lot of manual work is required to make
it work correctly with shindig. Specifically, you have to do the "taming"
work necessary for each of the APIs that gets exposed to gadgets. Cassie has
done work to make this work with opensocial-0.7 (she would know how complete
that is), but none of the other APIs have had said work done.

Taming is a fairly complicated subject, and it's going to take us a long
time to make it all happen. There are also some rather significant
limitations of caja today that are still being addressed (no tamed DOM api,
in particular no safe innerHTML). The caja developers are working hard to
make these things available to us, but that's a separate project from
shindig, and if you want to attempt to use it with shindig today, you'll
probably need to become familiar with the caja project itself. See
http://code.google.com/p/google-caja.

On Fri, Feb 29, 2008 at 10:19 PM, Neo Anderson <
neoanderson123@googlemail.com> wrote:

> How to use caja in Shindig?
>
> Can we use caja instead of iFrames?
>
> If we use caja, features like dynamic-height, settitle, UserPref and tabs
> will work or not?
>



-- 
~Kevin