skip to main content
10.1145/1242572.1242655acmconferencesArticle/Chapter ViewAbstractPublication PagesthewebconfConference Proceedingsconference-collections
Article

Subspace: secure cross-domain communication for web mashups

Published: 08 May 2007 Publication History

Abstract

Combining data and code from third-party sources has enabled a new wave of web mashups that add creativity and functionality to web applications. However, browsers are poorly designed to pass data between domains, often forcing web developers to abandon security in the name of functionality. To address this deficiency, we developed Subspace, a cross-domain communication mechanism that allows efficient communication across domains without sacrificing security. Our prototype requires only a small JavaScript library, and works across all major browsers. We believe Subspace can serve as a new secure communication primitive for web mashups.

References

[1]
Vikram Agrawal. TODO List. http://googlemodules.com/module/612/.
[2]
Richard Cornford. JavaScript Closures, March 2004. http://jibbering.com/faq/faq_notes/closures.html.
[3]
D. Crockford. JSONRequest. http://www.json.org/jsonrequest.html.
[4]
Flickr Services API. http://www.flickr.com/services/api/.
[5]
C. Fournet and A. D. Gordon. Stack Inspection: Theory and Variants. In Symposium on Principles of Programming Languages, 2001.
[6]
Web Hypertext Application Technology Working Group. Web Applications 1.0, February 2007. http://www.whatwg.org/specs/web-apps/current-work/.
[7]
ECMA International. Standard ECMA-262, December 1999.
[8]
C. Jackson, A. Bortz, D. Boneh, and J. Mitchell. Protecting Browser State Against Web Privacy Attacks. In Proc. WWW, 2006.
[9]
T. Powell and F. Schneider. JavaScript: The Complete Reference. McGraw-Hill/Osborne, second edition.
[10]
C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML . In Proc. OSDI, 2006.
[11]
J. Ruderman. JavaScript Security: Same Origin. http://www.mozilla.org/projects/security/components/same-origin.html.
[12]
W3C. Authorizing Read Access to XML Content Using the <?access-control?> Processing Instruction 1.0. http://www.w3.org/TR/access-control/, May 2006.

Cited By

View all
  • (2025)Security for MashupsEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_660(2291-2293)Online publication date: 8-Jan-2025
  • (2022)SoK: All or Nothing - A Postmortem of Solutions to the Third-Party Script Inclusion Permission Model and a Path Forward2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00021(206-222)Online publication date: Jun-2022
  • (2021)JSISOLATE: lightweight in-browser JavaScript isolationProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468577(193-204)Online publication date: 20-Aug-2021
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
WWW '07: Proceedings of the 16th international conference on World Wide Web
May 2007
1382 pages
ISBN:9781595936547
DOI:10.1145/1242572
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 May 2007

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. access control
  2. same origin policy
  3. trust
  4. web services

Qualifiers

  • Article

Conference

WWW'07
Sponsor:
WWW'07: 16th International World Wide Web Conference
May 8 - 12, 2007
Alberta, Banff, Canada

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)8
  • Downloads (Last 6 weeks)1
Reflects downloads up to 08 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)Security for MashupsEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_660(2291-2293)Online publication date: 8-Jan-2025
  • (2022)SoK: All or Nothing - A Postmortem of Solutions to the Third-Party Script Inclusion Permission Model and a Path Forward2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00021(206-222)Online publication date: Jun-2022
  • (2021)JSISOLATE: lightweight in-browser JavaScript isolationProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468577(193-204)Online publication date: 20-Aug-2021
  • (2017)Fabric: Building open distributed systems securely by constructionJournal of Computer Security10.3233/JCS-1580525:4-5(367-426)Online publication date: 10-Jul-2017
  • (2016)Mashic compiler: Mashup sandboxing based on inter-frame communicationJournal of Computer Security10.3233/JCS-16054224:1(91-136)Online publication date: 1-Mar-2016
  • (2015)A generic solution for web-based management of pseudonymized dataBMC Medical Informatics and Decision Making10.1186/s12911-015-0222-y15:1Online publication date: 30-Nov-2015
  • (2015)Password Meters and Generators on the WebProceedings of the 5th ACM Conference on Data and Application Security and Privacy10.1145/2699026.2699118(253-262)Online publication date: 2-Mar-2015
  • (2015)Between Worlds: Securing Mixed JavaScript/ActionScript Multi-Party Web ContentIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2014.235584712:4(443-457)Online publication date: 1-Jul-2015
  • (2015)A novel methodology towards a trusted environment in mashup web applicationsComputers and Security10.1016/j.cose.2014.10.00949:C(107-122)Online publication date: 1-Mar-2015
  • (2015)Privacy-preserving authorization method for mashupsSecurity and Communication Networks10.1002/sec.13228:18(4421-4435)Online publication date: 1-Dec-2015
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media