You are here

A Security Proxy-Based Cross-Domain Communication for Web Mashups

[Project Closed] From Jan. 2008 to Dec. 2010 @ Department of Information Management, National Taiwan University as PhD candidate under the supervision of Dr. Yeali S. Sun.

Problem. A web mashup is a web application that integrates content from heterogeneous sources to provide users with a more integrated and seamless browsing experience. Client-side mashups differ from server-side mashups in that the content is integrated in the browser using the client-side scripts. However, the legacy same origin policy (SOP) implemented by the browsers cannot provide a flexible client-side communication mechanism to exchange information between different sources. In the past, there is only all-trust or no-trust model in web mashup, which is not easy for mashup developer to control their privacy.

Goal. I propose a secure client-side cross-domain communication model facilitated by a trusted proxy and the HTML 5 postMessage method. The proxy-based model supports fine-grained access control for elements that belong to different sources in web mashups; and the design guarantees the confidentiality, integrity, and authenticity during cross-domain communications. The proxy-based design also allows users to browse mashups without installing browser plug-ins. For mashups developers, the provided API minimizes the amount of code modification.

Benefit. 1) Build up a client-side cross-domain communication library on the top of the HTML 5 postMessage method with a proxy-style fashion. It provides the developers a convenient, flexible and secure way to implement interactive mashups. 2) Automatically generate/enforce fine-grained and secure access logic (using JavaScript) based on XML-based access control policy (ACP) provided by the mashup developers. No need to add new HTML tags or install browser plug-ins. 3) Implement a prototype system and examine the overhead of the proxy. The result shows the overhead is linear to the number of shared components. 4) The design provides the mashup platform providers with an easy way to cooperate with other web services, while simultaneously protecting the private data of end users via the access control policy.

Implementation. Four parts are involved in a web mashup: user, proxy, integrator and provider. The figure below shows the interaction between these parties while performing a fine-grain controlled cross-domain communication.

Research Achievement.

  • An easy-to-use JavaScript library for any mashup developers to implement secure cross-domain communication.


  • Shun-Wen Hsiao, Yeali S. Sun, and Meng Chang Chen, “A Security Proxy-Based Cross-Domain Communication for Web Mashups,” Journal of Web Engineering, vol. 12, no.3-4, pp. 291-316, Jul. 2013. (SCI, IF: 0.361)
  • Shun-Wen Hsiao, Yeali S. Sun, Fu-Chi Ao, and Meng Chang Chen, “A Secure Proxy-Based Cross-Domain Communication for Web Mashups,” in Proc. 2011 IEEE 9th European Conference on Web Services (ECOWS), Lugano, Switzerland, Sep. 2011, pp. 57-64. (EI)
Copyright 2013 © Advanced Networking Technologies and Services Group, ALL RIGHT RESERVED.