Departmental Papers (CIS)

Date of this Version


Document Type

Conference Paper


5th International Workshop on Web APIs and Service Mashups (Mashups '11), September 14, 2011, Lugano, Switzerland.


Recent years have seen the emergence of a new programming paradigm for Web applications that emphasizes the reuse of external content, the mashup. Although the mashup paradigm enables the creation of innovative Web applications with emergent features, its openness introduces trust problems. These trust issues are particularly prominent in JavaScript code mashup - a type of mashup that integrated external Javascript libraries to achieve function and software reuse. With JavaScript code mashup, external libraries are usually given full privileges to manipulate data of the mashup application and executing arbitrary code. This imposes considerable risk on the mashup developers and the end users.

One major causes for these trust problems is that the mashup developers tend to focus on the functional aspects of the application and implicitly trust the external code libraries to satisfy security, privacy and other non-functional requirements. In this paper, we present ToMaTo, a development tool that combines a novel trust policy language and a static code analysis engine to examine whether the external libraries satisfy the non-functional requirements. ToMaTo gives the mashup developers three essential capabilities for building trustworthy JavaScript code mashup: (1) to specify trust policy, (2) to assess policy adherence, and (3) to handle policy violation. The contributions of the paper are: (1) a description of JavaScript code mashup and its trust issues, and (2) a development tool (ToMaTo) for building trustworthy JavaScript code mashup.

Subject Area

CPS Formal Methods

Publication Source

5th International Workshop on Web APIs and Service Mashups (Mashups '11)

Start Page

Article No. 5



Copyright/Permission Statement

© ACM 2011. This is the author's version of the work. It is posted here for your personal use. Not for redistribution. The definitive Version of Record was published in Proceedings of the 5th International Workshop on Web APIs and Service Mashups (Mashups '11),


Mashup, Trust, JavaScript, Code Analysis



Date Posted: 07 September 2011

This document has been peer reviewed.