I have been looking at the mashup problem. All scripts run with the authority of the base page, so mashups are not indicated for any application containing private data or managing a private connection. That is extremely limiting. Even worse, it turns out that rich media ads are mashups.
I had been thinking that the solution was to replace JavaScript with a capability language like E (http://erights.org/) and to replace the DOM with a capability DOM. I am now thinking that a far less drastic solution is required: a module facility that forms a trust boundary in the page with a communications mechanism that does not allow capability leakage. It requires no changes to JavaScript and a small, incremental change to HTML. The proposal is here: http://json.org/module.html
