We use access control lists (ACLs) to regulate access that scripts have to objects in name spaces other than their own (e.g., a page in a different browser window or frame). In a nutshell, a document's ACL is a list of URL paths or hostnames. Only a script whose origin appears in the document's ACL may access the name space of this page. The ACL mechanism allows Web developers to both expand and contract the set of domains that they trust. For example, store.com can put partner.com on the ACL of an HTML document that it serves to allow scripts from partner.com full access to the page. Also, emall.com/store1 can prevent scripts from emall.com/store2 from accessing its documents by setting its ACL to emall.com/store1.
The ACL provides an all-or-nothing control for access to a name space by other scripts. Another script is trusted by a document if the script's origin is listed in the document's ACL. Either every object in the document's local name space is accessible (to a trusted script), or none is (to an untrusted script). To complement this, we introduce a new method setPrivate. If for any object obj a script executes setPrivate(obj);, then obj (and any of its properties) is subsequently inaccessible, even to trusted scripts.