Interactive systems connected by wide area networks such as the Internet have steadily evolved into vibrant mediums for information exchange, social interaction and sharing of digital media. Internet users typically maintain one or more accounts with various service providers that feature customizable personal pages, such as personal home pages (e.g., my.yahoo.com, etc.), personal pages on social network sites (e.g., facebook.com, myspace.com, etc.), and the like. To enhance the utility and customization of such pages to end users, service providers sometimes allow users to customize their pages with one or more functional modules or widgets (hereinafter referred to as modules).
In web or Internet environments, these modules can include HTML code and scripts (such as JavaScript, and Asynchronous JavaScript and XML (AJAX)) that execute within the context of a client application, such as a browser, to achieve a variety of useful or entertaining functions. For example, modules can be developed to display content, such as blog entries, news headlines or podcasts, obtained from Really Simple Syndication (RSS) feeds. Other modules can be developed to display a slideshow of photos hosted on a content aggregation site, such as flickr.com. Other modules can display real-time stock quotes. In many instances, the modules appear in a base HTML document as frames or Inline Frames (iframes), which makes it possible to embed another HTML document inside the base HTML document.
The service providers maintaining these customizable pages may develop a number of modules from which users may select and add to their pages. Given the wide variety of functions that modules can perform and the seemingly unlimited creativity of users, however, some service providers also provide an open development environment that allows third parties to develop modules, as well. Given the security issues involved in allowing third party modules, however, service providers also typically rely on certain measures to minimize the security concerns regarding third-party modules. Specifically, content in different windows and frames of a web page can interact in powerful ways by scripting with the document object model. However, since a browser client can simultaneously display unrelated content, such as a base page and one or more modules, in its various windows and frames, certain policies must be applied to protect data integrity and privacy of information. If no security measures are taken, a module executing in one frame might be able to learn information in other modules or the base document. To allow unfettered access in this manner could be a breach of the user's privacy.
Accordingly, most publicly available browser clients (such as Mozilla® Firefox, and Microsoft® Internet Explorer®) support a domain security model that only allows interactions with content from the same origin. For example, an object of an iframe corresponding to one domain (e.g., http://yahoo.com/) may not access the content of another frame or the base document, if the content is sourced from another domain (e.g., https://example.com/). As to Javascript, for instance, to prevent cross-site security problems, browsers enforce the same origin policy in the javascript object model. That is, scripts running in one iframe may not access any objects inside another iframe, unless both pages in the iframes come from the same origin. Some browsers consider two pages to have the same origin if the protocol, port (if given), and host are the same for both pages. Without domain security, a rogue page could snoop on another page, access cookies outside its domain, or manipulate content using Dynamic HyperText Markup Language (DHTML).
Service providers may take advantage of the domain security model supported by standard browsers in connection with third party modules. For example, a service provider may serve HTML documents, including a third party module or references (e.g., src attribute) to the third party module, in iframes corresponding to a different origin or domain from the base document, as well as documents embedded in other iframes. In this manner, operation of a given third party module is effectively contained within the context of its corresponding iframe.