Sunday, June 03, 2007

Subspace: Secure Cross-Domain Communication for Web Mashups

This paper describes a new method of mashup communication that avoids some of the security and privacy concerns of existing approaches.

Exec summary: Create a little eco-system per mashup, perform some setup while you have trust, and then reduce your trust before running the mashup code.

Most mashup systems have to choose between completely isolating a mashup from the containing page using an iframe, or by using a <script> tag to include the mashup, which exposes the surrounding page (and all other gadgets on it) to malicious actions that one gadget can perform.

A few systems have tried different approaches.

At TechEd 06 in Auckland, George Moore described a new Address Book mashup that they were prototyping for (not sure if it was ever released) that used document fragment identifiers (the #blah bits of the url) and a complicated polling and window.location changing mechanism to communicate serialised javascript objects. It was quite fragile because of the need to serialise the information into chunks that could fit on the end of the urls, and because the javascript library to support the communication needs to guarantee delivery and sequencing of the communication.

The "Subspace" approach presented in this paper uses two browser features to sandbox the mashup's executing code from the surrounding page:
  • document.domain = "", which allows javascript to consent to communication by other frames that set the same document.domain
  • a communicating object which is passed in to a frame before it changes it's security context with the document.domain call
The mashup is then run in the sandbox using a regular <script> tag, and data is communicated back up to the surrounding page using the communicating object.

The authors also document some of the differences between the major browsers -- IE6 and IE7, Firefox, Safari and Opera -- and explains how the Subspace solution works within each browser (callback methods on the communicating object for some browsers, polling in other browsers).

The Subspace approach is quite clever, and works in a similar to other programming environments that allow you to do some setup in a trusted configuration, and then lower your privileges before running untrusted code. This approach is common in setuid unix programs, or in .NET AppDomains.

posted on Sunday, June 03, 2007 9:15:16 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]

This will be my fifth attempt at blogging -- my first in 2000ish (though not programming related), with several subsequent efforts that have languished since then. Each time there has been some reason to get started blogging again (usually an event of some sort), and then life has caught up with me...

So, thanks to the encouragement of Ivan Porto Carrero, I have a new fandangily blog up here at (RSS / atom)

Who am I?

  • Software developer living in Wellington, NZ
  • Working for Xero
  • Organise the Wellington .NET Users Group, which meets monthly to discuss the latest .NET technologies
  • Help to organise Code Camps around the place (next one in Auckland, just before TechEd)
  • Microsoft MVP
  • Possess an unhealthy interest in the banal details of the Common Language Runtime
  • Two gorgeous kids and a beautiful wife

Who aren't I?

  • I'm not religious, neither in the traditional sense, or the Linux vs Windows / C# vs Java sense
  • I don't dance
  • I don't sing
  • I don’t drink coffee or cola
  • I don't drink, smoke, or ingest any mind altering substances
  • I don't play poker, chess nor go
  • I don't read nearly as many books as I used to
  • I don't read all my email (but I do practice Zero Blog Bounce, for some reason)
  • I'm not That Guy

But I'm not boring. Honest!

I look forward to posting all of those "I wish I had a blog" things once again...

posted on Sunday, June 03, 2007 7:28:57 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]