Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Microsoft’s Wang has been working on solving the problem by providing a way for browsers to recognize code that comes from a third party, and to treat that code differently than that from the host website. She proposes enclosing third-party code in a “sandbox” tag, which would act as a sort of one-way glass. It would allow the larger website to make use of the code contained within the sandbox but treat that code as unauthorized content, with no authority outside the sandbox. Any information that the third-party code required could be included inside the sandbox. However, in order for this solution to be effective, the sandbox tag would need to become an accepted Web standard. Wang has built a prototype of Internet Explorer that recognizes the tag, but she notes that it would take time for the tag to be adopted in all browsers.

Earlier this month, IBM released a security tool called SMash (short for “secure mashups”) that aims to solve the problem without changing the browser. SMash allows content from multiple sources to be displayed on a single page, and it enables tools to communicate in a safe way, explains Larry Koved, Web 2.0 security scientist for IBM Research. A secure communication channel monitors information sent between tools, while still maintaining their separate identities and separate sets of permissions. A mashup creator using SMash connects each tool to a hub that then takes charge of monitoring the messages sent between tools, looking for suspicious activity. Koved says that each tool included in the mashup can control how its data is transformed and presented.

SMash, says Boloker, trades off the ability to tightly interconnect widgets within a mashup in order to keep it secure and easy to make. IBM plans to incorporate SMash in its Lotus Mashups product, to be released this summer, and the company has also donated the code to the OpenAjax Alliance, which allows any mashup maker to use it.

Chris Warner, director of marketing at mashup maker JackBe, says of existing offerings, “In general, mashup security is still a bit of a Wild West.” As a member of the OpenAjax Alliance, he says, JackBe plans to support SMash and other standards released through the alliance. He adds that “the next step for the mashup industry is to make sure that we develop a universal picture of security.”

0 comments about this story. Start the discussion »

Credit: Microsoft Research/TR

Tagged: Communications, security, software

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me