Security of Web Mashups: A Survey

  • Philippe De Ryck
  • Maarten Decat
  • Lieven Desmet
  • Frank Piessens
  • Wouter Joosen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7127)


Web mashups, a new web application development paradigm, combine content and services from multiple origins into a new service. Web mashups heavily depend on interaction between content from multiple origins and communication with different origins. Contradictory, mashup security relies on separation for protecting code and data. Traditional HTML techniques fail to address both the interaction/communication needs and the separation needs. This paper proposes concrete requirements for building secure mashups, divided in four categories: separation, interaction, communication and advanced behavior control. For the first three categories, all currently available techniques are discussed in light of the proposed requirements. For the last category, we present three relevant academic research results with high potential. We conclude the paper by highlighting the most applicable techniques for building secure mashups, because of functionality and standardization. We also discuss opportunities for future improvements and developments.


Security Requirement Mutual Authentication Authentication Credential USENIX Security Symposium Mashup Application 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Adobe Systems Inc. Cross-domain policy file specification (January 2010),
  2. 2.
    Barth, A., Jackson, C., Hickson, I.: The web origin concept (June 2010),
  3. 3.
    Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. In: In Proceedings of the 17th USENIX Security Symposium (USENIX Security 2008) (2008)Google Scholar
  4. 4.
    Crites, S., Hsu, F., Chen, H.: Omash: Enabling secure web mashups via object abstractions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 99–108. ACM (2008)Google Scholar
  5. 5.
    Crockford, D.: The module tag (October 2006),
  6. 6.
    Crockford, D.: Adsafe (December 2009),
  7. 7.
    De Keukelaere, F., Bhola, S., Steiner, M., Chari, S., Yoshihama, S.: Smash: Secure component model for cross-domain mashups on unmodified browsers. In: Proceedings of the 17th International Conference on World Wide Web, pp. 535–544. ACM (2008)Google Scholar
  8. 8.
    Devriese, D., Piessens, F.: Non-interference through secure multi-execution. In: 2010 IEEE Symposium on Security and Privacy Proceedings, pp. 109–124 (2010)Google Scholar
  9. 9.
    Dutta, S.: Client-side cross-domain security (June 2008),
  10. 10.
    Facebook Developer Wiki. Cross domain communication (January 2009),
  11. 11.
    Facebook Developer Wiki. FBJS (August 2010),
  12. 12.
    Harmonia, Inc. Liquidapps (2010),
  13. 13.
    Hickson, I., Hyatt, D.: Html 5 working draft (June 2010),
  14. 14.
    Hickson, I., Hyatt, D.: Html 5 working draft - cross-document messaging (June 2010),
  15. 15.
    Hickson, I., Hyatt, D.: Html 5 working draft - the sandbox attribute (June 2010),
  16. 16.
  17. 17.
    Intel Corporation. Mash Maker (2010),
  18. 18.
    JackBe Corporation. Presto: Powering the enterprise app store (2010),
  19. 19.
    Jackson, C., Wang, H.J.: Subspace: secure cross-domain communication for web mashups. In: Proceedings of the 16th International Conference on World Wide Web, p. 620 (2007)Google Scholar
  20. 20.
    Li, Z., Zhang, K., Wang, X.F.: Mash-if: Practical information-flow control within client-side mashups. In: 2010 IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 251–260 (2010)Google Scholar
  21. 21.
    Livshits, B., Meyerovich, L.: Conscript: Specifying and enforcing fine-grained security policies for javascript in the browser. Technical report, Microsoft Research (2009)Google Scholar
  22. 22.
    Maffeis, S., Mitchell, J.C., Taly, A.: Object capabilities and isolation of untrusted web applications. In: Proceedings of IEEE Security and Privacy 2010. IEEE (2010)Google Scholar
  23. 23.
    Maffeis, S., Taly, A.: Language-based isolation of untrusted javascript. In: 22nd IEEE Computer Security Foundations Symposium, pp. 77–91 (2009)Google Scholar
  24. 24.
    Magazinius, J., Askarov, A., Sabelfeld, A.: A lattice-based approach to mashup security. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 15–23 (2010)Google Scholar
  25. 25.
    Magazinius, J., Phung, P., Sands, D.: Safe wrappers and sane policies for self protecting javascript. In: 15th Nordic Conference on Secure IT Systems (2010)Google Scholar
  26. 26.
    Meyerovich, L.A., Felt, A.P., Miller, M.S.: Object views: Fine-grained sharing in browsers. In: Proceedings of the 19th International Conference on World Wide Web, pp. 721–730 (2010)Google Scholar
  27. 27.
    Miller, M.S., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja: Safe active content in sanitized javascript (January 2008),
  28. 28.
    OpenAjax Alliance. Openajax hub 2.0 specification (July 2009),
  29. 29.
    Phung, P.H., Sands, D., Chudnov, A.: Lightweight self-protecting javascript. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pp. 47–60 (2009)Google Scholar
  30. 30.
    Ter Louw, M., Ganesh, K.T., Venkatakrishnan, V.N.: Adjail: Practical enforcement of confidentiality and integrity policies on web advertisements. In: 19th USENIX Security Symposium (2010)Google Scholar
  31. 31.
    Thorpe, D.: Secure cross-domain communication in the browser (July 2007),
  32. 32.
    van Kesteren, A.: Cross-origin resource sharing (2009)Google Scholar
  33. 33.
    Wang, H.J., Fan, X., Howell, J., Jackson, C.: Protection and communication abstractions for web browsers in mashupos. ACM SIGOPS Operating Systems Review 41(6), 16 (2007)CrossRefGoogle Scholar
  34. 34.
    Zalewski, M.: Browser security handbook (2010),
  35. 35.
    Zarandioon, S., Yao, D.D., Ganapathy, V.: Omos: A framework for secure communication in mashup applications. In: Annual Computer Security Applications Conference, ACSAC 2008, pp. 355–364 (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Philippe De Ryck
    • 1
  • Maarten Decat
    • 1
  • Lieven Desmet
    • 1
  • Frank Piessens
    • 1
  • Wouter Joosen
    • 1
  1. 1.IBBT-DistriNetKatholieke Universiteit LeuvenLeuvenBelgium

Personalised recommendations