Web App Taxonomy

• Commonly known as "widgets"
• Require a separate "download" step before runtime
• Trust often established between widget and widget platform (by means of crypto signatures)
• Trust often proxied by use of an "app-store" model

• Widgets on the server-side
• No separate download step, but often requires installation of content to a "container"
• One website combines content from multiple other websites, often by means of iFrames
• External content validated statically by (for example) Caja, FBJS
• DNS-based trust, proxied by "container" site

• One site creates content which includes requests for content to other sites, or for information provided by the client
• Content is assembled dynamically on the client, based on content from multiple places
• Trust based on a combination of "user grant", enforcement of restrictions such as SOP, and other techniques (CORS, UMP, OAuth et al)