The HTML environment lacks modularity. It is not possible to run guest code and be confident that it will not attack. Some of the popular attacks are XSS, XSRF, and Phishing. This deficiency is a huge source of insecurity. The <iframe> has been suggested as a sandboxed container, but the <iframe> is subject to two out of three attacks, so it is far from safe.
I have proposed that we replace <iframe> with <module>. The <module> is a vat that prohibits all three attacks (although as long as we have JavaScript and the DOM, it will still be subject to internal XSS attacks). It may be easier to provide an option that lets <iframe> and <frame> and <body> behave like vats.
If we add a vat attribute to an insecure container, then the container is locked down. It is not allowed to access the DOM tree of another container. Other containers are not allowed to access its DOM tree. Navigation (location) of other containers is not allowed. HTTP requests made from a container to sites other than the container's domain do not carry cookies or other ambient authority. A script should be able to easily determine if it is in a vat or not. The vat attribute is included in the http requests for the vat's assets.
The only local way that a vat container can interact with another container is with a communications mechanism such as Cross Document Messaging (XDM). If we had such containment, we could include components from other sites using a notation such as <iframe vat src="pirate.net/theworst.html">. The browser would then be fully minimally adequate for mashups.
It will still be a dangerous environment, and will continue to be dangerous until we replace JavaScript and the DOM. But this small improvement would move us way ahead. The construction of secure mashups will no longer be impossible, just risky.
