On Tue, 2010-08-17 at 11:35 -0700, ๏̯͡๏ Jasvir Nagra wrote: > > For code in the caja subset of javascript/html, the cajoled gadget can > safely be on the same origin as the container. The security policy > does not rely on origin but rather the choice and implementation of > APIs that the container exposes to the gadget.
Is there an actual proof of the behaviour of Valija? My understanding was that Caja handled different vulnerabilities - adding extra security to iframes, and aiming for the same security that iframes add, but not quite there yet. I may well have missed some milestone with caja over the past year or so though. Tim
