Yee Ha! It's the wild Web 2.0, the digital land rush for all domains that end in r. Once you've established yourself, they have to accept you. Leading the charge are thousands of passionate Web 2.0 developers blazing a new mashup frontier. The underlying landscape is still the same—at least from a security perspective—nothing has changed. Actually, that's not true, it's gone backward. Mashups remind me of the old days when JavaScript first appeared on the scene. Back then, JavaScript had some basic integrity problems that led to the creation of same origin policies because problems were discovered that could allow attackers to circumvent traditional controls and appear to be legitimate web sites when in fact they were not.

Mashups aren't any different. The content being displayed to the user did not come from the site that the user typed into the URL (it's not authenticated). It got mashed up from who knows where by who knows what? There is no mashup origin restriction to stop this kind of thing from happening, and the mashup builders want to keep it that way.

My question is: how are mashups any different from cross-site scripting (XSS)? I mean, both manipulate data before the user sees anything. This is how most phishing works. The user doesn't know anything about what's really going on with the data before it is rendered. The user doesn't know how it was acquired, how it was formatted, or whether it is intact—or edited. So, I ask again: how is this any different ...