Mashups are the most interesting innovation in software development in decades. Unfortunately, the browser’s security model did not anticipate this development, so mashups are not safe if there is any confidential information in the page. Since virtually every page has at least some confidential information in it, this is a big problem. Google Gears may lead to the solution.
A few notes from the interesting and thought-provoking video (with a good sense of humor to boot):
- He begins by noting that “security is the number 1 biggest with the whole World Wide Web”.
- This is often due to a “Ship it now. Secure it later.” attitude to application development along with a “blame the user” security model (like what happens these days when a user’s given a confusing “Do you grant this application access to all your data” pop-up login in a mashup).
- Java was a “huge failure” of “write once, run away screaming”.
- Argues that “Mashups are the most interesting innovation in software development in 20 years.”
- But, because mashups in the browser are insecure, “nothing but trivial applications” should be built there.
- All programs in a common global space; cross site scripting, XSS; in the DOM all elements can access siblings and parent
- To be secure, mashups require “Cooperation with mutual suspicion.”
In the end Douglas proposes having a Mashup Solution Design Summit that ideally would have particpation from folks at Google, Yahoo, Microsoft, IBM, Adobe, and others. Sounds like a very good idea.