With the proliferation of computing and networking technologies an increasing number of applications such as productivity applications providing word processing, spreadsheet, presentation, communication, and similar services are provided in browser based form in addition or in place of locally installed versions.
Browser-based applications can be categorized as mashup web applications, where a web page combines content from multiple sources. For example, in a productivity application scenario, the hosting page may be coming from a collaborative service server with an embedded web access component coming from a web access server and a business service extension component coming from a business service or a third party's extension component server. In this context, the hosting page is the integrator and the web access and extension components are gadgets in mashup terms. In such a model, the gadgets may not be fully trusted. A widely adapted solution is to use iframe to sandbox the component(s) and rely on the browser's Same Origin Policy (SOP) scripting policy to prevent one gadget from harming others' data.
However, with iframe as sandbox and SOP as security guard, interactions between trusted extension components and web access components may be limited. Thus, communication channels established between trusted frames may not be both secure and reliable for application isolation in browser-based systems.