> > 5 Security Threats in HTML5

5 Security Threats in HTML5

Posted on Thursday, August 18, 2011 by Arman Zulhajar






Now, with the nearly-complete standard for HTML5 being implemented (at least in part) in the latest or beta versions of all the major browsers, including Internet Explorer, Firefox, Safari, Chrome and Opera, many of the advanced Web app features developers need will be available in native HTML..
 






1. Cross-Document Messaging 

In an earlier effort to promote security on the Web, HTML4 does not allow pages from one domain to pass or access data in pages from another domain. For example, if a page loaded from domain1.com contains JavaScript code that reads the position of the mousepointer after a click, it cannot pass that data to a page loaded from domain2. com, which may be in another window (a pop-up spawned by the frst page, for example).

 




2. Local Storage 

 New to HTML5 is offine storage, a client-side SQL database that can be accessed by JavaScript in a Web page. Like many other HTML5 features, local storage is something that has existed by virtue of third-party development (Google Gears), but is now being adopted into the HTML standard.

 




3. Attribute Abuse 

In addition to providing many new tags, HTML5 also introduces new attributes, some of which apply to familiar tags and may be subject to abuse. A particular threat is when attributes can be used to trigger automatic script execution.

For example, the new HTML5 attribute “autofocus” will automatically switch browser focus to the specifed element a trick that is sometimes useful for user interface design and previously had been implemented using JavaScript. But a malicious site could use the autofocus attribute to steal focus unwittingly from the end user, possibly giving focus to a window that is rigged to execute malicious code when active.



 


4. Inline Multimedia and SVG 

HTML5 is signifcantly more multimedia-savvy than its predecessor. Until now, browsers needed to rely on third-party plug-ins (such as Flash) to embed most major media formats, including MP3 audio and MP4 video.

 




5. Input Validation 

Web developers have had to rely on server-side processing to implement rigorous input validation, but this method provides a poor user experience, even though AJAX practices have improved the situation. HTML5 provides rich client-side input validation, empowering Web developers to defne input boundaries alongside the forms themselves, with instant feedback provided to users.

Additionally, hackers may be able to exploit client-side validation for example, fawed regular expression (regex) syntax in page code to, for example, create a Denial of Service (DoS) attack by sending the browser into an infnite loop


Category Article , ,

What's on Your Mind...

Random Posts

  • Rainbow Web 3 [FINAL]
    Rainbow Web 3 [FINAL] GAME » Match3 The dark Sorcerer Spider has risen to power again, and you are the only one who can stop this villain! ...
  • Halo: Combat Evolved Anniversary - Order Now!
    Halo: Combat Evolved Anniversary is an amazing remastered version of the original "Halo" campaign, created in celebration of the ...
  • CreaVures [FINAL]
    CreaVures ( PLATFORM ) [FINAL] Restore the light and help five different CreaVures work together as they save the dying forest in this fun A...
  • Fashion Forward [FINAL]
    Fashion Forward(DASH) [FINAL]| 98 MB finds all is not smiles and sunshine in Fashion Forward, a fun time management adventure from Sandlot G...
  • Blue period
    askutiniu metu vis pataikau žiūrėti liūdnus filmus. Vakarykštį vakarą praleidome keturiese prie "The road" . Vis dar kelia smalsum...
Powered by Blogger.