Secure EcmaScript

⚠️ This is not an official, working packaging of Google Caja’s SES. This is a project attempting to bring SES to Node.js but will probably not be viable until Node.js 0.12 at least.

SES is a tool that allows mutually suspicious programs to share a single EcmaScript 5 compliant JavaScript context without interfering with each other. It does this by freezing everything that is accessible in global scope, removing interfaces that would allow programs to interfe with each-other, and providing the ability to evaluate arbitrary code in isolation.

SES is a part of the Google Caja project. For JavaScript contexts that do not support EcmaScript 5, Caja depends on compiling JavaScript to a JavaScript subset with static verification and run-time assertions to maintain isolation. With EcmaScript 5, it is possible to run isolated code without a compilation step or run-time checks.

Initialize SES by executing these scripts in order.

• logger.js
• repairES5.js
• WeakMap.js
• debug.js
• StringMap.js
• whitelist.js
• atLeastFreeVarNames.js
• startSES.js
• ejectorsGuardsTrademarks.js
• hookupSESPlus.js

This is an example of initializing SES in a web page.

<script src="logger.js"></script>
<script src="repairES5.js"></script>
<script src="WeakMap.js"></script>
<script src="debug.js"></script>
<script src="StringMap.js"></script>
<script src="whitelist.js"></script>
<script src="atLeastFreeVarNames.js"></script>
<script src="startSES.js"></script>
<script src="ejectorsGuardsTrademarks.js"></script>
<script src="hookupSESPlus.js"></script>

This is an example of initializing SES in Node.

var FS = require("fs");
var VM = require("vm");
 
var source = FS.readFileSync("initSES.js");
var script = new VM.Script(source);
script.runInThisContext();
 
var f = cajaVM.compileExpr("console.log('hi')");
f({console: console});

Included is a binary runner under the name ses

ses example/code.js