Combining data and code from third-party sources has enabled a new wave of web mashups that add creativity and functionality to web applications. However, browsers are poorly designed to pass data between domains, often forcing web developers to abandon security in the name of functionality. To address this deficiency, we developed Subspace, a cross-domain communication mechanism that allows efficient communication across domains without sacrificing security. Our prototype requires only a small JavaScript library, and works across all major browsers. We believe Subspace can serve as a new secure communication primitive for web mashups. Categories and Subject Descriptors K.6.5 [Management of Computing and Information Systems]: Security and Protection--Unauthorized Access General Terms Design, Security, Performance Keywords access control, trust, web services, same origin policy
Collin Jackson, Helen J. Wang