A web mashup is a web application that integrates content from heterogeneous sources to provide users with a more integrated and seamless browsing experience. Client-side mashups differ from server-side mashups in that the content is integrated in the browser using the client-side scripts. However, the legacy same origin policy (SOP) implemented by the browsers cannot provide a flexible client-side communication mechanism to exchange information between different sources. To address this problem, we propose a secure client-side cross-domain communication model facilitated by a trusted proxy and the HTML 5 post Message method. The proxy-based model supports fine-grained access control for elements that belong to different sources in web mashups, and the design guarantees the confidentiality, integrity, and authenticity during cross-domain communications. The proxy-based design also allows users to browse mashups without installing browser plug-ins. For mashups developers, the provided API minimizes the amount of code modification. The results of experiments demonstrate that the overhead in-curred by our proxy model is low and reasonable.
Journal of Web Engineering, Vol.12, No.3&4, pp.291-316