docwhat's avatardocwhat's blog

Mashups and JavaScript Security

I found this excellent video Gears and the Mashup Problem of Douglas Crockford (discoverer of JSON) talking about the security problems inherent in Mashups and of JavaScript as a whole.

He proposes a solution involving what he calls vats; a self contained JavaScript interpreter with limited communication to the page. The JavaScript in the page would be the only trusted code running and the code in the various vats would not be trusted.

He mentioned there should be an interface such that the user would be prompted with intelligent (and decidable) questions, such as “Do you want to give web site X $5.00 from your pay-pal account?” or “Select the contacts you want to give FaceBook from your GMail account.”

He specifically mentions that Google Gears has a vat in it already and that they should expand on it to give this extra abilities. Which I’m sure is true, even if the lecture was at Google’s campus.

The other thing he mentions is using JSONRequest as the channel to talk to the vats and the servers. I think JSONRequest would be a vast improvement over XMLHttpRequest, myself.

via: Ajaxian


Edit on GitHub