I saw an incredible presentation on this at the MIT monthly Lisp meeting by the ex-OLPC security guy and BitFrost architect Ivan Krstic. Fascinating idea, and something that made me really want to explore the uses of JavaScript in terms of security.
It also made me wonder about the feasibility of implementing a capabilities system in CLisp or Scheme. So many ideas, so little time...
I've actually been mulling over the possibility of combining the capability security model with a continuation-based web application framework, and think a Lisp with continuations (like Scheme or Arc) might be the easiest substrate from which to start.
It seems like a natural fit: your current capability grants would be closed over in any lexical scope, which means that a continuation would also encapsulate a capability set. Resuming the continuation would implicitly restore the security context active when it was captured.
A capabilities system in Scheme was done in the 90s, though AFAIK it is now dead. Still the paper describing it is worth reading and may give you some inspiration: http://fare.tunes.org/tmp/emergent/secureos.htm
Caja is largely based on the capability security model as explored in the E programming language. There are some great tutorials and links to further work on capability security at the E language website: http://www.erights.org/
It also made me wonder about the feasibility of implementing a capabilities system in CLisp or Scheme. So many ideas, so little time...
The spec is great reading, too [PDF]: http://google-caja.googlecode.com/files/caja-spec-2008-06-07...