SlideShare a Scribd company logo

HTML5 security

B
bedney

The document discusses HTML5 security, emphasizing that many new capabilities are primarily JavaScript APIs rather than modifications to HTML itself. It highlights the persistent same-origin model as a key aspect of web security and provides recommendations for safe API use, particularly in intranet/extranet environments. The future of web security includes initiatives like the Content Security Policy and the importance of educational and organizational policies to effectively manage user behavior and security.

Technology
1 of 18
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
HTML5 Security William J. Edney Technical Pursuit Inc. Thursday, May 16, 13
William J. Edney Technical Pursuit Inc. Clarification • Much of what is termed “HTML5”, insofar as new programming capability is concerned, is really not HTML. It is really more JavaScript API added to the browser. Thursday, May 16, 13
William J. Edney Technical Pursuit Inc. “Hot button” issue • Much of ‘external facing’ computing is done on the Web these days • E-commerce • Customer care • Partner collaboration Thursday, May 16, 13
William J. Edney Technical Pursuit Inc. What hasn’t changed: Same Origin Model • Core of web security • Same host • Same protocol • Same port • XMLHTTPRequest is bound by this model Thursday, May 16, 13
William J. Edney Technical Pursuit Inc. What hasn’t changed: Extensions / addons • Browsers can get access to: • Bookmarks • File system • Cross-origin XHR • Require extra user permission to install Thursday, May 16, 13
William J. Edney Technical Pursuit Inc. “HTML5” additions • Cross-Origin Resource Sharing (CORS) • [Web, DOM, Local] Storage • Indexed DB (supplants WebDB) • Offline Apps (‘HTML5 manifest’) • Geolocation API • Downloadable Fonts Thursday, May 16, 13
William J. Edney Technical Pursuit Inc. “HTML5” additions • Cross-window messaging (‘postMessage’) • Filesystem APIs • Device APIs (Camera, GPS, etc.) Thursday, May 16, 13
William J. Edney Technical Pursuit Inc. Future • Web Crypto • Web Real Time Communication (WebRTC) • Today in Chrome and Firefox Thursday, May 16, 13
William J. Edney Technical Pursuit Inc. Relaxing same-origin • document.domain property • siteA.foo.com and siteB.foo.com can become ‘foo.com’ and communicate • JSONP • HTML5: CORS • HTML5: postMessage() Thursday, May 16, 13
William J. Edney Technical Pursuit Inc. Core issues • No fine-grained security model • ‘Same origin’ policy is the master for the foreseeable future • Some APIs prompt the user for permission • Users are becoming overwhelmed Thursday, May 16, 13
William J. Edney Technical Pursuit Inc. API Recommendations • CORS • For intranet/extranet data-sharing, use specific domains - not “Access-Control-Allow-Origin: *” • [Web, DOM, Local] Storage • Use encryption, if available Thursday, May 16, 13
William J. Edney Technical Pursuit Inc. API Recommendations • IndexedDB • Use encryption, if available • Offline Apps • Geolocation API • Intranet/Extranet: Use sparingly Thursday, May 16, 13
William J. Edney Technical Pursuit Inc. API Recommendations • Downloadable fonts: • Intranet/Extranet: Don’t use them • Cross-window messaging (‘postMessage’) • Intranet/Extranet: Use sparingly Thursday, May 16, 13
William J. Edney Technical Pursuit Inc. API Recommendations • Filesystem APIs • Intranet/Extranet: Don’t use them • Device APIs • Intranet/Extranet: Use sparingly • x-frame-options HTTP header Thursday, May 16, 13
William J. Edney Technical Pursuit Inc. Future • W3C has begun work on the “Content Security Policy” • Fine-grained, cross API, security mechanism • Currently a candidate recommendation Thursday, May 16, 13
William J. Edney Technical Pursuit Inc. Organizational policies • Use different browsers (or browser profiles) for tasks requiring different levels of security • IE for work, FF for play / personal • Use work machine / browser only for work • Use own device for personal Thursday, May 16, 13
William J. Edney Technical Pursuit Inc. Conclusion • Browsers are becoming more powerful • Users will upgrade • Users will find ways around your attempts to prevent them from upgrading • As with much of IT security, the real solution lies in education and organizational policy Thursday, May 16, 13
William J. Edney Technical Pursuit Inc. Questions? • Thanks! Thursday, May 16, 13

More Related Content

KEY
ARTDM 171, Week 2: A Brief History + Web Basics
Gilbert Guerrero
 
PDF
Dan Appelquist at BBC News Labs : "firefoxOS - the web, mobile, web apps"
BBC News Labs
 
PPT
Youth Dynamix
Heavy Chef
 
PPTX
Heavy Chef Session - Justin Stanford's presentation on Online Security
Heavy Chef
 
PDF
What can creativity do?
Heavy Chef
 
PPTX
A Message To Starbucks
AJBlumenfeld
 
PDF
DYNAMIX GROUP SLIDESHARE 2016
Jeff Javorek
 
PDF
Heavy Chef March: Building Great Mobisites
Heavy Chef
 
ARTDM 171, Week 2: A Brief History + Web Basics
Gilbert Guerrero
 
Dan Appelquist at BBC News Labs : "firefoxOS - the web, mobile, web apps"
BBC News Labs
 
Youth Dynamix
Heavy Chef
 
Heavy Chef Session - Justin Stanford's presentation on Online Security
Heavy Chef
 
What can creativity do?
Heavy Chef
 
A Message To Starbucks
AJBlumenfeld
 
DYNAMIX GROUP SLIDESHARE 2016
Jeff Javorek
 
Heavy Chef March: Building Great Mobisites
Heavy Chef
 

Similar to HTML5 security (20)

KEY
ClubAJAX Basics - Server Communication
Mike Wilcox
 
PPTX
Datasets, APIs, and Web Scraping
Damian T. Gordon
 
PDF
Drawing the Line with Browser Compatibility
jsmith92
 
PDF
Stabilising a large ibm connections environment
Martijn de Jong
 
PPTX
Frontend State of the union
Filip Bruun Bech-Larsen
 
PDF
Firefox OS Workshop @ Serbia & Montenegro - Training
Jan Jongboom
 
PDF
Danger! Danger! Your Mobile Applications Are Not Secure
TechWell
 
PDF
Html5 Application Security
chuckbt
 
PDF
CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...
Ryan Koop
 
PDF
The Future of the web
Filip Bruun Bech-Larsen
 
PPTX
Codestrong 2012 breakout session introduction to mobile web and best practices
Axway Appcelerator
 
PDF
Future of the Web
Filip Bruun Bech-Larsen
 
PPTX
A Brave New World
SensePost
 
PDF
Frontend development of the (current) future
Filip Bruun Bech-Larsen
 
ZIP
Building iPhone/Andriod Apps with Titanium Appcelerator for a Rails Backend
Andrew Chalkley
 
PDF
Designing & Building Secure Web APIs
CodeOps Technologies LLP
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
PDF
Ch 10: Hacking Web Servers
Sam Bowne
 
PDF
04. Open Source Development Platforms.pdf
Asme19
 
PDF
The 3 Top Techniques for Web Security Testing Using a Proxy
TEST Huddle
 
ClubAJAX Basics - Server Communication
Mike Wilcox
 
Datasets, APIs, and Web Scraping
Damian T. Gordon
 
Drawing the Line with Browser Compatibility
jsmith92
 
Stabilising a large ibm connections environment
Martijn de Jong
 
Frontend State of the union
Filip Bruun Bech-Larsen
 
Firefox OS Workshop @ Serbia & Montenegro - Training
Jan Jongboom
 
Danger! Danger! Your Mobile Applications Are Not Secure
TechWell
 
Html5 Application Security
chuckbt
 
CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...
Ryan Koop
 
The Future of the web
Filip Bruun Bech-Larsen
 
Codestrong 2012 breakout session introduction to mobile web and best practices
Axway Appcelerator
 
Future of the Web
Filip Bruun Bech-Larsen
 
A Brave New World
SensePost
 
Frontend development of the (current) future
Filip Bruun Bech-Larsen
 
Building iPhone/Andriod Apps with Titanium Appcelerator for a Rails Backend
Andrew Chalkley
 
Designing & Building Secure Web APIs
CodeOps Technologies LLP
 
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
Ch 10: Hacking Web Servers
Sam Bowne
 
04. Open Source Development Platforms.pdf
Asme19
 
The 3 Top Techniques for Web Security Testing Using a Proxy
TEST Huddle
 
Ad

Recently uploaded (20)

PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PDF
August Patch Tuesday
Ivanti
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
Unlock new opportunities with location data.pdf
Precisely
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PPTX
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
August Patch Tuesday
Ivanti
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
The various Industrial Revolutions .pptx
bandileshozi3
 
Unlock new opportunities with location data.pdf
Precisely
 
What is a Computer? Input Devices /output devices
GulJan8
 
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Ad

HTML5 security

  • 1. HTML5 Security William J. Edney Technical Pursuit Inc. Thursday, May 16, 13
  • 2. William J. Edney Technical Pursuit Inc. Clarification • Much of what is termed “HTML5”, insofar as new programming capability is concerned, is really not HTML. It is really more JavaScript API added to the browser. Thursday, May 16, 13
  • 3. William J. Edney Technical Pursuit Inc. “Hot button” issue • Much of ‘external facing’ computing is done on the Web these days • E-commerce • Customer care • Partner collaboration Thursday, May 16, 13
  • 4. William J. Edney Technical Pursuit Inc. What hasn’t changed: Same Origin Model • Core of web security • Same host • Same protocol • Same port • XMLHTTPRequest is bound by this model Thursday, May 16, 13
  • 5. William J. Edney Technical Pursuit Inc. What hasn’t changed: Extensions / addons • Browsers can get access to: • Bookmarks • File system • Cross-origin XHR • Require extra user permission to install Thursday, May 16, 13
  • 6. William J. Edney Technical Pursuit Inc. “HTML5” additions • Cross-Origin Resource Sharing (CORS) • [Web, DOM, Local] Storage • Indexed DB (supplants WebDB) • Offline Apps (‘HTML5 manifest’) • Geolocation API • Downloadable Fonts Thursday, May 16, 13
  • 7. William J. Edney Technical Pursuit Inc. “HTML5” additions • Cross-window messaging (‘postMessage’) • Filesystem APIs • Device APIs (Camera, GPS, etc.) Thursday, May 16, 13
  • 8. William J. Edney Technical Pursuit Inc. Future • Web Crypto • Web Real Time Communication (WebRTC) • Today in Chrome and Firefox Thursday, May 16, 13
  • 9. William J. Edney Technical Pursuit Inc. Relaxing same-origin • document.domain property • siteA.foo.com and siteB.foo.com can become ‘foo.com’ and communicate • JSONP • HTML5: CORS • HTML5: postMessage() Thursday, May 16, 13
  • 10. William J. Edney Technical Pursuit Inc. Core issues • No fine-grained security model • ‘Same origin’ policy is the master for the foreseeable future • Some APIs prompt the user for permission • Users are becoming overwhelmed Thursday, May 16, 13
  • 11. William J. Edney Technical Pursuit Inc. API Recommendations • CORS • For intranet/extranet data-sharing, use specific domains - not “Access-Control-Allow-Origin: *” • [Web, DOM, Local] Storage • Use encryption, if available Thursday, May 16, 13
  • 12. William J. Edney Technical Pursuit Inc. API Recommendations • IndexedDB • Use encryption, if available • Offline Apps • Geolocation API • Intranet/Extranet: Use sparingly Thursday, May 16, 13
  • 13. William J. Edney Technical Pursuit Inc. API Recommendations • Downloadable fonts: • Intranet/Extranet: Don’t use them • Cross-window messaging (‘postMessage’) • Intranet/Extranet: Use sparingly Thursday, May 16, 13
  • 14. William J. Edney Technical Pursuit Inc. API Recommendations • Filesystem APIs • Intranet/Extranet: Don’t use them • Device APIs • Intranet/Extranet: Use sparingly • x-frame-options HTTP header Thursday, May 16, 13
  • 15. William J. Edney Technical Pursuit Inc. Future • W3C has begun work on the “Content Security Policy” • Fine-grained, cross API, security mechanism • Currently a candidate recommendation Thursday, May 16, 13
  • 16. William J. Edney Technical Pursuit Inc. Organizational policies • Use different browsers (or browser profiles) for tasks requiring different levels of security • IE for work, FF for play / personal • Use work machine / browser only for work • Use own device for personal Thursday, May 16, 13
  • 17. William J. Edney Technical Pursuit Inc. Conclusion • Browsers are becoming more powerful • Users will upgrade • Users will find ways around your attempts to prevent them from upgrading • As with much of IT security, the real solution lies in education and organizational policy Thursday, May 16, 13
  • 18. William J. Edney Technical Pursuit Inc. Questions? • Thanks! Thursday, May 16, 13