Yesterday, February 24, Ming Chow gave a talk to the ABCD security group at Harvard on HTML5 security. As far as I can tell he hasn’t made any of the content publicly available online, but here are some high points:
- HTML5 has a lot of new features, giving it a bigger “attack surface.”
- There’s no effective security to local and session storage, so writing sensitive information there is a bad idea.
- The database feature raises all the standard concerns about injection of malicious SQL code into fields.
- Application caches can be written by any website. It may be possible to spoof pages this way.
- With the audio, video, and canvas tags, the codecs can be vulnerable. Opera has been hit with a heap buffer overflow exploit in HTML5.
- The problems are new, but the approach to safety is the same: common sense, input validation, being careful with unsecured connections, etc.