Code, Data Kept Separate
In a mashup scenario, SMash addresses a key part of the browser mashup security issue by keeping code and data from each of the sources separated, while allowing controlled sharing of the data through a secure communication channel. IBM plans to include SMash technology in some of its WebSphere products as well as its commercial mashup maker, Lotus Mashups, which is expected to ship this summer. IBM Lotus Mashups is IBM's first commercial mashup maker for business and will allow nontechnical users to create and share mashups in a secure way. Performance evaluations have shown that SMash can be used in common enterprise mashup applications, IBM officials said.Russell said SMash is important and is a generalization of Microsoft's Subspaces research and previous work that James Burke had done in Dojo and that Joseph Smarr had done did inside of Plaxo. "And, as such, it provides some good properties for cooperating domains to share constrained sets of data inside a browser environment [i.e., without server proxies]," Russell said. However, he said that "nothing is a clear 'winner,' nor is there a single API which wraps it all up and makes it easy to integrate and publish/advertise services for. My personal suspicion is that this will take longer than proponents expect for things to sort themselves out. I'm thinking at least 18 months." In related news, in February, IBM's X-Force Security Team released the findings of a report, detailing a rise in the sophistication of attacks by cyber-criminals on Web browsers worldwide. According to the study, by attacking computer users' browsers, cyber-criminals are able to steal their identities and control the computers without their knowledge.
However, Alex Russell, co-creator of the Dojo Toolkit and a member of the OpenAjax Alliance Security Task Force, said there are concerns about Smash, including data transmission rates that can be reached and forward compatibility with emerging standards.