Microsoft’s Wang has been working on solving the problem by providing a way for browsers to recognize code that comes from a third party, and to treat that code differently than that from the host website. She proposes enclosing third-party code in a “sandbox” tag, which would act as a sort of one-way glass. It would allow the larger website to make use of the code contained within the sandbox but treat that code as unauthorized content, with no authority outside the sandbox. Any information that the third-party code required could be included inside the sandbox. However, in order for this solution to be effective, the sandbox tag would need to become an accepted Web standard. Wang has built a prototype of Internet Explorer that recognizes the tag, but she notes that it would take time for the tag to be adopted in all browsers.
Earlier this month, IBM released a security tool called SMash (short for “secure mashups”) that aims to solve the problem without changing the browser. SMash allows content from multiple sources to be displayed on a single page, and it enables tools to communicate in a safe way, explains Larry Koved, Web 2.0 security scientist for IBM Research. A secure communication channel monitors information sent between tools, while still maintaining their separate identities and separate sets of permissions. A mashup creator using SMash connects each tool to a hub that then takes charge of monitoring the messages sent between tools, looking for suspicious activity. Koved says that each tool included in the mashup can control how its data is transformed and presented.
SMash, says Boloker, trades off the ability to tightly interconnect widgets within a mashup in order to keep it secure and easy to make. IBM plans to incorporate SMash in its Lotus Mashups product, to be released this summer, and the company has also donated the code to the OpenAjax Alliance, which allows any mashup maker to use it.
Chris Warner, director of marketing at mashup maker JackBe, says of existing offerings, “In general, mashup security is still a bit of a Wild West.” As a member of the OpenAjax Alliance, he says, JackBe plans to support SMash and other standards released through the alliance. He adds that “the next step for the mashup industry is to make sure that we develop a universal picture of security.”