Skip to main content
ToMaTo: A Trustworthy Code Mashup Development Tool
5th International Workshop on Web APIs and Service Mashups (Mashups '11)
  • Jian Chang, University of Pennsylvania
  • Krishna Venkatasubramanian, University of Pennsylvania
  • Andrew G West, University of Pennsylvania
  • Sampath Kannan, University of Pennsylvania
  • Oleg Sokolsky, University of Pennsylvania
  • Myuhng Joo Kim, Seoul Women's University
  • Insup Lee, University of Pennsylvania
Date of this Version
Document Type
Conference Paper
5th International Workshop on Web APIs and Service Mashups (Mashups '11), September 14, 2011, Lugano, Switzerland.
Recent years have seen the emergence of a new programming paradigm for Web applications that emphasizes the reuse of external content, the mashup. Although the mashup paradigm enables the creation of innovative Web applications with emergent features, its openness introduces trust problems. These trust issues are particularly prominent in JavaScript code mashup - a type of mashup that integrated external Javascript libraries to achieve function and software reuse. With JavaScript code mashup, external libraries are usually given full privileges to manipulate data of the mashup application and executing arbitrary code. This imposes considerable risk on the mashup developers and the end users. One major causes for these trust problems is that the mashup developers tend to focus on the functional aspects of the application and implicitly trust the external code libraries to satisfy security, privacy and other non-functional requirements. In this paper, we present ToMaTo, a development tool that combines a novel trust policy language and a static code analysis engine to examine whether the external libraries satisfy the non-functional requirements. ToMaTo gives the mashup developers three essential capabilities for building trustworthy JavaScript code mashup: (1) to specify trust policy, (2) to assess policy adherence, and (3) to handle policy violation. The contributions of the paper are: (1) a description of JavaScript code mashup and its trust issues, and (2) a development tool (ToMaTo) for building trustworthy JavaScript code mashup.
Copyright/Permission Statement
© ACM 2011. This is the author's version of the work. It is posted here for your personal use. Not for redistribution. The definitive Version of Record was published in Proceedings of the 5th International Workshop on Web APIs and Service Mashups (Mashups '11),
  • Mashup,
  • Trust,
  • JavaScript,
  • Code Analysis
Citation Information
Jian Chang, Krishna Venkatasubramanian, Andrew G West, Sampath Kannan, et al.. "ToMaTo: A Trustworthy Code Mashup Development Tool" 5th International Workshop on Web APIs and Service Mashups (Mashups '11) (2011) p. Article No. 5
Available at: