The Web 2.0 Conundrum - How Much Control is Too Much?

CrashRoX asks: "One of the big hypes with Web 2.0 is that users should be able to control their content. We then end up with all assortments of mash-ups, widgets, feeds and customized pages/profiles. Given this, where do site admins draw the line on what users can do? MySpace is the best example for this question. Their popularity is based on promoting the fact that you can have a page that displays your personality, customize it and pretty much do whatever you want to it. Over time, they've had security problems with users using JavaScript. That privilege was revoked not too long after. Most recently, they've limited the use of flash controls and have started banning certain widgets (like YouTube and others). Sites like Google let you create your own widgets using an API. How much control from a programming, security and usability point of view should we give users? What guidelines should developers follow for building web 2.0 sites?"

The least restrictions possible for security

How much control from a programming, security and usability point of view should we give users? What guidelines should developers follow for building web 2.0 sites?"

As much control as reasonably practical, without intruding on other users' security.

For example, a page that only gets seen by me (e.g. a plugin for my customised google homepage) might as well let me write Javascript: to do so wouldn't mess with anyone else's security.

On the other hand, a public page in the myspace.com domain could use javascript to read visitors' cookies and forward them to malicious third parties. If the ability to do this was left open, it would inevitably be exploited. This would impinge upon the users' security, and hence should not be allowed.