Monday, May 14th, 2007

Subspace: Enabling trusted cross domain Ajax

Category: Editorial

Collin Jackson and Helen Wang presented their paper at WWW2007 on Subspace: Secure Cross-Domain Communication for Web Mashups:

Combining data and code from third-party sources has enabled a new wave of web mashups that add creativity and functionality to web applications. However, browsers are poorly designed to pass data between domains, often forcing web developers to abandon security in the name of functionality. To address this deficiency, we developed Subspace, a novel cross-domain communication mechanism that allows efficient communication across domains without sacrificing security. Our prototype requires only a small JavaScript library, and works across all major browsers. We believe Subspace can serve as a new secure communication primitive for web mashups.

This paper shows the technique of nested iframes, to enable secure cross-domain communication. The technique relies on document.domain, and offers a detail on iframe security in the various browsers.


Posted by Dion Almaer at 7:33 am

4.1 rating from 36 votes


Comments feed TrackBack URI

It would have been better if they named this Secure *Sub*-Domain Communciation for Web Mashups, since only communication with a subdomain is allowed (from to, not from to It seems like a refinement of the standard document.domain type of iframe communication. But the document does have some nice summary information in there.

Comment by James — May 14, 2007

This is an interesting paper. However the use of iframes will likely interfere with the history and make proper back/forward button usage difficult or impossible.

Comment by Brian — May 14, 2007

Dojo has had a module that does that for some time now. It’s not a novel idea.

Comment by Jordan — May 14, 2007

You can also use Dynamic Script Insertion to tackle this issue. It is far simpler and much more robust. See my website link above for more information.

Comment by Mike — May 14, 2007

James and Mike – The idea is to combine cross-*sub*domain communication with dynamic script insertion to get true cross-*domain* communication, but in a controlled way that avoids the excessive trust requirements of dynamic script insertion.

Brian – You’re right, Subspace isn’t very back button friendly, and is best suited for single page applications.

Comment by Collin Jackson — May 14, 2007

I think there should be a an organisation that one could go through, that validates data sources.

Ex: src=””

If the link isn’t validated by the service, I would get void() in return, otherwise, I’d get some code/data from

Comment by mikael bergkvist — May 14, 2007

Where is the prototype source?

Comment by Hans Blink — May 15, 2007

Since this post is being increasing linked from elsewhere, I ought to rectify my previous misunderstanding and say that this technique is indeed novel and not used by Dojo as of current.

Comment by Jordan — May 29, 2007

ok so this isnt even meant to circumvent cross domain sites in the first place. even if it did, the gotcha is that you cannot use REST unless you can cram all your query parameters into form actions: form target submission is the only way to iframe load (the only way to do cross domain) with a HTTP-Method other than GET. someone for the love of christ tell me i’m wrong cause this sucks. i’d much rather a json interchange format.

cross site security is garbage just in principle. if you want to be secure, dont link to someone elses content and dont go to sites that redirect you to something suspiciously resembling if you want to be insecure and link to someones content, wish to let their site graft itself onto your site, to me it seems blisteringly obvious that the web page should be permitted to do so, along with the risks that carries, and that users should be informed of the connections. users ought be responsible for their browsing environments, and if cross site scripting happens to be part of their browsing environment when they visit your site, so be it, let them beware and let them take whatever hit. i see no reason to forbid things because they are complicated. to me it seems like the web content holding royalty are just afraid of being mashed upon, and have decided to enforce arbitrary ruling that forces XSS to be so bloody gimped out.

greasemonkey just seems so very unnecessary. its just sanctioning for XSS, but with all the 1991-era pain-in-the-ass of downloading and installing.

Comment by rektide — May 29, 2007

Leave a comment

You must be logged in to post a comment.