While writing my thesis about security in web2.0 i have implemented the
Module-Tag from Douglas Crockford. It enables a site to communicate with
embedded widgets while preventing the widget from manipulating the site.
In order to make some use of this Firefox-Extension, i published the
code at [addons.mozilla.org/de/firefox/addon/10090]. This extension
works with frames, because of the use of the Same-Origin-Policy to
separate site and widget from each other. An interface provides the
functionality to send messages from the site to the widget and backwards.
The goal is to discuss the Module-Tag and its usefulness to modern web
security especially while using widgets.
I would like to ask for opinions about the Module-Tag and my
implementation of it. I couldn't find any alternative extensions or
projects with the same security service,so i think this will be a very
useful one to everybody.
I'm wondering why there is no comment on this. Is this the wrong place
to discuss it or is the Module-Tag uninteresting to you or are there
more infos needed?
What do you think about the concept of the module tag?
This is interesting work to see, but you might find more direct
interest in the mozilla.dev.security newsgroup, where technologies
like Origin Headers, Content Security Policy, are discussed. Your
work would seem to fit nicely into that category, would you agree?