Security Issues About HTML5 What Developers Need to Keep in Mind

Home

Web Front-end

H5 Tutorial

Security Issues About HTML5 What Developers Need to Keep in Mind_html5 Tutorial Tips

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

May 16, 2016 pm 03:51 PM

Application security experts say HTML5 brings new security challenges to developers.
The war of words between Apple and Adobe has led to a lot of speculation about the fate of HTML 5. Although the implementation of HTML 5 still has a long way to go, one thing that is certain is that developers who use HTML 5 New security features will need to be deployed for the application security development lifecycle to address the security challenges posed by HTML5.
So what impact will HTML5 have on the attack surface we need to cover? This article will explore several important security issues about HTML 5.
　Client-side storage
Early versions of HTML only allowed websites to store cookies as local information, and these spaces were relatively small and only suitable for storing simple archive information or as storage in other locations. An identifier for the data, such as a session ID, said Dan Cornell, director of application security research at Denim Group. However, HTML5 LocalStorage allows the browser to store large databases locally, allowing new types of applications to be used.
"The attendant risk is that sensitive data may be stored on the local user's workstation, and an attacker who physically accesses or destroys the workstation can easily obtain the sensitive data," Cornell said, "This is particularly important when using shared computers. "By definition, it's really just the ability to store information on the client system," said Josh Abraham, a security researcher at Rapid7. "Then you have the potential for a client-side SQL injection attack." Potentially, or maybe one of your client's databases is malicious, and when synchronized with the production system, there may be synchronization issues, or the client's potentially malicious data will be inserted into the production system. ”
　To solve this problem. , developers need to be able to verify whether the data is malicious, which is actually a very complex problem.
Not everyone agrees on the importance of this issue. Chris Wysopal, chief technology officer at Veracode, said there have been many ways for web applications to store data client-side, such as through the use of plug-ins or browser extensions.
“There are many known ways to manipulate the HTML5 SessionStorage properties currently deployed, but this issue will not be resolved until the standard is finalized,” Wysopal said.
　
Cross-domain communication While other versions of HTML may allow JavaScript to issue XML HTTP requests back to the original server, HTML5 relaxes this restriction and XML HTTP requests can be sent to any server that allows this. The requested server. Of course, this can also cause serious security problems if the server cannot be trusted.
　“For example, I can build a mashup (a mashup that combines two or more web applications that use public or private databases to form an integrated application) to pull game scores from third-party websites through JSON (Javascript Object Notation),” Cornell said, "This website could send malicious data to an application that is running in my user's browser. Although HTML5 allows the creation of new types of applications, if developers do not understand these features when they start to use them, The security implications of the created application will bring great security risks to users. ”
For developers who write applications that rely on PostMessage(), they must carefully check to ensure that the information comes from the source. their own website, otherwise malicious code from other websites could create malicious messages, Wysopal added. This feature is not inherently secure, and developers have begun using different DOM (Document Object Model)/browser features to emulate cross-domain communication.
Another related issue is that the World Wide Web Consortium currently provides a way to bypass the same-origin policy using a similar cross-domain mechanism for cross-origin resource sharing designs.
“IE deploys different security features than Firefox, Chrome and Safari,” he noted. “Developers need to ensure they are harmed by creating access control lists that are too permissive, especially since some reference code is currently very insecure.
　
Iframe security 　From a security perspective, HTML5 also has good features, such as plans to support the sandbox attribute of iframes.
　"This attribute will allow developers to choose how the data is interpreted. "Unfortunately, like most HTML, this design is likely to be misunderstood by developers, and it is likely to be disabled by developers because it is inconvenient to use." If done correctly, this feature can help protect against malicious third-party ads or prevent the replay of untrustworthy content. ”

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Understanding H5: The Meaning and SignificanceMay 11, 2025 am 12:19 AM

H5 is HTML5, the fifth version of HTML. HTML5 improves the expressiveness and interactivity of web pages, introduces new features such as semantic tags, multimedia support, offline storage and Canvas drawing, and promotes the development of Web technology.

H5: Accessibility and Web Standards ComplianceMay 10, 2025 am 12:21 AM

Accessibility and compliance with network standards are essential to the website. 1) Accessibility ensures that all users have equal access to the website, 2) Network standards follow to improve accessibility and consistency of the website, 3) Accessibility requires the use of semantic HTML, keyboard navigation, color contrast and alternative text, 4) Following these principles is not only a moral and legal requirement, but also amplifying user base.

What is the H5 tag in HTML?May 09, 2025 am 12:11 AM

The H5 tag in HTML is a fifth-level title that is used to tag smaller titles or sub-titles. 1) The H5 tag helps refine content hierarchy and improve readability and SEO. 2) Combined with CSS, you can customize the style to enhance the visual effect. 3) Use H5 tags reasonably to avoid abuse and ensure the logical content structure.

H5 Code: A Beginner's Guide to Web StructureMay 08, 2025 am 12:15 AM

The methods of building a website in HTML5 include: 1. Use semantic tags to define the web page structure, such as, , etc.; 2. Embed multimedia content, use and tags; 3. Apply advanced functions such as form verification and local storage. Through these steps, you can create a modern web page with clear structure and rich features.

H5 Code Structure: Organizing Content for ReadabilityMay 07, 2025 am 12:06 AM

A reasonable H5 code structure allows the page to stand out among a lot of content. 1) Use semantic labels such as, etc. to organize content to make the structure clear. 2) Control the rendering effect of pages on different devices through CSS layout such as Flexbox or Grid. 3) Implement responsive design to ensure that the page adapts to different screen sizes.

H5 vs. Older HTML Versions: A ComparisonMay 06, 2025 am 12:09 AM

The main differences between HTML5 (H5) and older versions of HTML include: 1) H5 introduces semantic tags, 2) supports multimedia content, and 3) provides offline storage functions. H5 enhances the functionality and expressiveness of web pages through new tags and APIs, such as and tags, improving user experience and SEO effects, but need to pay attention to compatibility issues.

H5 vs. HTML5: Clarifying the Terminology and RelationshipMay 05, 2025 am 12:02 AM

The difference between H5 and HTML5 is: 1) HTML5 is a web page standard that defines structure and content; 2) H5 is a mobile web application based on HTML5, suitable for rapid development and marketing.

HTML5 Features: The Core of H5May 04, 2025 am 12:05 AM

The core features of HTML5 include semantic tags, multimedia support, form enhancement, offline storage and local storage. 1. Semantic tags such as, improve code readability and SEO effect. 2. Multimedia support simplifies the process of embedding media content through and tags. 3. Form Enhancement introduces new input types and verification properties, simplifying form development. 4. Offline storage and local storage improve web page performance and user experience through ApplicationCache and localStorage.

See all articles