Abstract
Web mashups, a new web application development paradigm, combine content and services from multiple origins into a new service. Web mashups heavily depend on interaction between content from multiple origins and communication with different origins. Contradictory, mashup security relies on separation for protecting code and data. Traditional HTML techniques fail to address both the interaction/communication needs and the separation needs. This paper proposes concrete requirements for building secure mashups, divided in four categories: separation, interaction, communication and advanced behavior control. For the first three categories, all currently available techniques are discussed in light of the proposed requirements. For the last category, we present three relevant academic research results with high potential. We conclude the paper by highlighting the most applicable techniques for building secure mashups, because of functionality and standardization. We also discuss opportunities for future improvements and developments.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
Keywords
- Security Requirement
- Mutual Authentication
- Authentication Credential
- USENIX Security Symposium
- Mashup Application
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Adobe Systems Inc. Cross-domain policy file specification (January 2010), http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
Barth, A., Jackson, C., Hickson, I.: The web origin concept (June 2010), http://tools.ietf.org/html/draft-abarth-origin-07
Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. In: In Proceedings of the 17th USENIX Security Symposium (USENIX Security 2008) (2008)
Crites, S., Hsu, F., Chen, H.: Omash: Enabling secure web mashups via object abstractions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 99–108. ACM (2008)
Crockford, D.: The module tag (October 2006), http://www.json.org/module.html
Crockford, D.: Adsafe (December 2009), http://www.adsafe.org/
De Keukelaere, F., Bhola, S., Steiner, M., Chari, S., Yoshihama, S.: Smash: Secure component model for cross-domain mashups on unmodified browsers. In: Proceedings of the 17th International Conference on World Wide Web, pp. 535–544. ACM (2008)
Devriese, D., Piessens, F.: Non-interference through secure multi-execution. In: 2010 IEEE Symposium on Security and Privacy Proceedings, pp. 109–124 (2010)
Dutta, S.: Client-side cross-domain security (June 2008), http://msdn.microsoft.com/library/cc709423.aspx
Facebook Developer Wiki. Cross domain communication (January 2009), http://wiki.developers.facebook.com/index.php/Cross_Domain_Communication
Facebook Developer Wiki. FBJS (August 2010), http://wiki.developers.facebook.com/index.php/FBJS
Harmonia, Inc. Liquidapps (2010), http://www.liquidappsworld.com/
Hickson, I., Hyatt, D.: Html 5 working draft (June 2010), http://www.w3.org/TR/html5/
Hickson, I., Hyatt, D.: Html 5 working draft - cross-document messaging (June 2010), http://www.w3.org/TR/html5/comms.html#crossDocumentMessages
Hickson, I., Hyatt, D.: Html 5 working draft - the sandbox attribute (June 2010), http://www.w3.org/TR/html5/the-iframe-element.html#attr-iframe-sandbox
IBM. IBM Mashup Center (2010), http://www-01.ibm.com/software/info/mashup-center/
Intel Corporation. Mash Maker (2010), http://mashmaker.intel.com/web/
JackBe Corporation. Presto: Powering the enterprise app store (2010), http://www.jackbe.com/products/
Jackson, C., Wang, H.J.: Subspace: secure cross-domain communication for web mashups. In: Proceedings of the 16th International Conference on World Wide Web, p. 620 (2007)
Li, Z., Zhang, K., Wang, X.F.: Mash-if: Practical information-flow control within client-side mashups. In: 2010 IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 251–260 (2010)
Livshits, B., Meyerovich, L.: Conscript: Specifying and enforcing fine-grained security policies for javascript in the browser. Technical report, Microsoft Research (2009)
Maffeis, S., Mitchell, J.C., Taly, A.: Object capabilities and isolation of untrusted web applications. In: Proceedings of IEEE Security and Privacy 2010. IEEE (2010)
Maffeis, S., Taly, A.: Language-based isolation of untrusted javascript. In: 22nd IEEE Computer Security Foundations Symposium, pp. 77–91 (2009)
Magazinius, J., Askarov, A., Sabelfeld, A.: A lattice-based approach to mashup security. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 15–23 (2010)
Magazinius, J., Phung, P., Sands, D.: Safe wrappers and sane policies for self protecting javascript. In: 15th Nordic Conference on Secure IT Systems (2010)
Meyerovich, L.A., Felt, A.P., Miller, M.S.: Object views: Fine-grained sharing in browsers. In: Proceedings of the 19th International Conference on World Wide Web, pp. 721–730 (2010)
Miller, M.S., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja: Safe active content in sanitized javascript (January 2008), http://google-caja.googlecode.com/files/caja-spec-2008-01-15.pdf
OpenAjax Alliance. Openajax hub 2.0 specification (July 2009), http://www.openajax.org/member/wiki/index.php?title=OpenAjax_Hub_2.0_Specification&oldid=12174
Phung, P.H., Sands, D., Chudnov, A.: Lightweight self-protecting javascript. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pp. 47–60 (2009)
Ter Louw, M., Ganesh, K.T., Venkatakrishnan, V.N.: Adjail: Practical enforcement of confidentiality and integrity policies on web advertisements. In: 19th USENIX Security Symposium (2010)
Thorpe, D.: Secure cross-domain communication in the browser (July 2007), http://msdn.microsoft.com/en-us/library/bb735305.aspx
van Kesteren, A.: Cross-origin resource sharing (2009)
Wang, H.J., Fan, X., Howell, J., Jackson, C.: Protection and communication abstractions for web browsers in mashupos. ACM SIGOPS Operating Systems Review 41(6), 16 (2007)
Zalewski, M.: Browser security handbook (2010), http://code.google.com/p/browsersec/wiki/Main
Zarandioon, S., Yao, D.D., Ganapathy, V.: Omos: A framework for secure communication in mashup applications. In: Annual Computer Security Applications Conference, ACSAC 2008, pp. 355–364 (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
De Ryck, P., Decat, M., Desmet, L., Piessens, F., Joosen, W. (2012). Security of Web Mashups: A Survey. In: Aura, T., Järvinen, K., Nyberg, K. (eds) Information Security Technology for Applications. NordSec 2010. Lecture Notes in Computer Science, vol 7127. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27937-9_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-27937-9_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-27936-2
Online ISBN: 978-3-642-27937-9
eBook Packages: Computer ScienceComputer Science (R0)