Subspace: Secure Cross-Domain Communication for Web Mashupshttp://www2007.org/program/paper.php?id=801
This paper describes a new method of mashup communication that avoids some of the security and privacy concerns of existing approaches.
Exec summary: Create a little eco-system per mashup, perform some setup while you have trust, and then reduce your trust before running the mashup code.
Most mashup systems have to choose between completely isolating a mashup from the containing page using an iframe, or by using a <script> tag to include the mashup, which exposes the surrounding page (and all other gadgets on it) to malicious actions that one gadget can perform.
A few systems have tried different approaches.
The "Subspace" approach presented in this paper uses two browser features to sandbox the mashup's executing code from the surrounding page:
- a communicating object which is passed in to a frame before it changes it's security context with the document.domain call
The mashup is then run in the sandbox using a regular <script> tag, and data is communicated back up to the surrounding page using the communicating object.
The authors also document some of the differences between the major browsers -- IE6 and IE7, Firefox, Safari and Opera -- and explains how the Subspace solution works within each browser (callback methods on the communicating object for some browsers, polling in other browsers).
The Subspace approach is quite clever, and works in a similar to other programming environments that allow you to do some setup in a trusted configuration, and then lower your privileges before running untrusted code. This approach is common in setuid unix programs, or in .NET AppDomains.