The current security strategy employed by many sites and services that allow third-party code is to contain the application content within an iframe. In the case of application development on a social networking site, many applications must first go through a review process to ensure that they’re not malicious before being approved for use on the site. Application developers can then generally update their application as they see fit and have the changes appear in the live version immediately.

The iframe approach nullifies a number of different attacks that a malicious application developer may launch against the host site, but it does nothing to protect the user working in the application. The content of the iframe is not sanitized, which means that the same security issues that exist in any site on the Internet still exist in this context.

This is where other security implementations such as Caja and ADsafe come into play. They attempt to remove the majority of the attack vectors that an application developer may employ against a user. We will explore some of the specific attacks in the next section as part of our larger discussion of Caja.