1. Security for Web2.0 application scenarios: Exposures, Issues and Challenges
Sumeer Bhola, Suresh Chari, Michael Steiner
2. Storyboard for motivation slides
Security-consicous developer on drawing board for used-car mashup
Dealers (generally: address, inventory via REST/JSON, dealer-specific details for example asactive (link to KBB) HTML)
Goes through various cycles & rejects each for functional or security problems, finally gives up
Get info for list viaDirect XHF-> non-functional: same origin
Try withScriptSrc-> no security: complete access to DOM & user credentials
Try withProxy-> controlled (data) service access but what about rich-text dealer info? -> ahh,ACF?! yet dealer wants to mash up with to KBB & allow price negotiation -> aargh, no security on active component
Ok, get viaIframe-> secure but now no way to synchronize update table for negotiated price?!
Give up frustrated
Very hard to find security solutions; very context/deployment specific!!
Most developers would not even have realized problems; insofar, above idealistic scenario!!
We need to give developer a ``tool which is
easy-to-use (otherwise not used) &
deployment setup-independent (important for mashup component providers)
3. Once upon a time there was a mashup developer 4. Design Map Srv Mashup Srv Browser Map Detail Car info ShDy All Gold 93 Rolls $$$ Cheapo Urkidn Red 77 Lada $ MoCo Sunroof Blue 01 Chevy $$ Dealer Options Color Year Model Price Dealer Dealer Dealer Srv XHR Same Origin does not allow 5. Design Map Srv Mashup Srv Browser Map Detail Car info ShDy All Gold 93 Rolls $$$ Cheapo Urkidn Red 77 Lada $ MoCo Sunroof Blue 01 Chevy $$ Dealer Options Color Year Model Price Dealer Dealer Dealer Srv