In our model, the JavaScript programmer can model trust explicitly by using ACLs. The toy-store programmer can state in the initialization step of scripting in all of the toy-store pages:
<SCRIPT LANGUAGE="Javascript"> document.ACL = "https://e-mall.com/toy-store"; ... </SCRIPT>
The above statement indicates that only scripts from a URL that is prefixed by the above element of the access control list (ACL) are allowed to access the page's name space. Thus, if a script embedded in e-mall.com/pet-shop/snoop.html executes the following:
<SCRIPT LANGUAGE="Javascript"> toy_store_check_out_window = window.open("https://e-mall.com /toy-store/checkout.html"); ...the page will be loaded into a new browser window on the user's desktop, but its name space will be inaccessible to the calling script.
If toy-store decides to collaborate with baby-store in order to cross-link, then the initialization might look like:
document.ACL = "https://e-mall.com/toy-store https://e-mall.com/baby-store"; ...If these two stores want to collaborate further with a site that is not even part of the e-mall domain (e.g., the parentsoup site), then while the existing browsers do not allow this, our model can accommodate this easily by using the following:
document.ACL = "https://e-mall.com/toy-store https://e-mall.com/baby-store www.parentsoup.com"; ...The last entry above is a domain name, which includes all pages from that domain in the ACL.