HTML5 security

Yesterday, February 24, Ming Chow gave a talk to the ABCD security group at Harvard on HTML5 security. As far as I can tell he hasn’t made any of the content publicly available online, but here are some high points:

• HTML5 has a lot of new features, giving it a bigger “attack surface.”
• There’s no effective security to local and session storage, so writing sensitive information there is a bad idea.
• The database feature raises all the standard concerns about injection of malicious SQL code into fields.
• Application caches can be written by any website. It may be possible to spoof pages this way.
• There is now a function, XDomainRequest, in JavaScript, which allows communication between different sites. The receiver of the request must specify Access-Control-Allow-Origin to indicate whose requests are allowed. Wild-carding this allows anyone at all to send data to a page, which may be dangerous. Implementers of a receiver should always verify the sender’s identity.
• With the audio, video, and canvas tags, the codecs can be vulnerable. Opera has been hit with a heap buffer overflow exploit in HTML5.
• The noscript tag is no longer supported. Users who try to make themselves safer by disabling Javascript are more screwed than ever.
• The problems are new, but the approach to safety is the same: common sense, input validation, being careful with unsecured connections, etc.