Douglas Crockford on the Mashup Problem

If you're at all interested on the future of JavaScript as a mashup platform, be sure to watch this engaging talk by Douglas Crockford on Gears and the Mashup Problem (for those of you who don't know Douglas he's currently senior JavaScript architect at Yahoo and is arguably the foremost expert on JavaScript and JSON today). It's a Google Tech Talk from last month and here's the abstract:

Mashups are the most interesting innovation in software development in decades. Unfortunately, the browser's security model did not anticipate this development, so mashups are not safe if there is any confidential information in the page. Since virtually every page has at least some confidential information in it, this is a big problem. Google Gears may lead to the solution.

dougcrockford.png

A few notes from the interesting and thought-provoking video (with a good sense of humor to boot):

  • He begins by noting that "security is the number 1 biggest with the whole World Wide Web".
  • This is often due to a "Ship it now. Secure it later." attitude to application development along with a "blame the user" security model (like what happens these days when a user's given a confusing "Do you grant this application access to all your data" pop-up login in a mashup).
  • He traces the history of JavaScript from Netscape 2, thourgh Microsoft's JScript and XMLHttpRequest, and points out that neither the HTML or JavaScript standards have been updated since 1999 (Web time no longer means doing things "really fast").
  • Java was a "huge failure" of "write once, run away screaming".
  • Argues that "Mashups are the most interesting innovation in software development in 20 years."
  • But, because mashups in the browser are insecure, "nothing but trivial applications" should be built there.
  • All programs in a common global space; cross site scripting, XSS; in the DOM all elements can access siblings and parent
  • To be secure, mashups require "Cooperation with mutual suspicion."
  • He is a big fan of Google Gears, which by virture of its Worker Pool architecture has the potential to address many of the key JavaScript security issues.

In the end Douglas proposes having a Mashup Solution Design Summit that ideally would have particpation from folks at Google, Yahoo, Microsoft, IBM, Adobe, and others. Sounds like a very good idea.

Be sure to read the next Security article: OAuth Spec 1.0 = More Personal Mashups?