Sunday, June 03, 2007

Subspace: Secure Cross-Domain Communication for Web Mashups

This paper describes a new method of mashup communication that avoids some of the security and privacy concerns of existing approaches.

Exec summary: Create a little eco-system per mashup, perform some setup while you have trust, and then reduce your trust before running the mashup code.

Most mashup systems have to choose between completely isolating a mashup from the containing page using an iframe, or by using a <script> tag to include the mashup, which exposes the surrounding page (and all other gadgets on it) to malicious actions that one gadget can perform.

A few systems have tried different approaches.

At TechEd 06 in Auckland, George Moore described a new Address Book mashup that they were prototyping for (not sure if it was ever released) that used document fragment identifiers (the #blah bits of the url) and a complicated polling and window.location changing mechanism to communicate serialised javascript objects. It was quite fragile because of the need to serialise the information into chunks that could fit on the end of the urls, and because the javascript library to support the communication needs to guarantee delivery and sequencing of the communication.

The "Subspace" approach presented in this paper uses two browser features to sandbox the mashup's executing code from the surrounding page:
  • document.domain = "", which allows javascript to consent to communication by other frames that set the same document.domain
  • a communicating object which is passed in to a frame before it changes it's security context with the document.domain call
The mashup is then run in the sandbox using a regular <script> tag, and data is communicated back up to the surrounding page using the communicating object.

The authors also document some of the differences between the major browsers -- IE6 and IE7, Firefox, Safari and Opera -- and explains how the Subspace solution works within each browser (callback methods on the communicating object for some browsers, polling in other browsers).

The Subspace approach is quite clever, and works in a similar to other programming environments that allow you to do some setup in a trusted configuration, and then lower your privileges before running untrusted code. This approach is common in setuid unix programs, or in .NET AppDomains.

Comments are closed.