• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
HTML5 Security For Beginners
 

HTML5 Security For Beginners

on

  • 1,151 views

A null Pune presentation on HTML5 Security For Beginners

A null Pune presentation on HTML5 Security For Beginners

Statistics

Views

Total Views
1,151
Views on SlideShare
1,151
Embed Views
0

Actions

Likes
0
Downloads
13
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    HTML5 Security For Beginners HTML5 Security For Beginners Presentation Transcript

    • HTML 5 Security for beginners.
    • L 101 : Same Origin Policy
    • Agenda: (Lesson 101) ● Same Origin Policy. ● Demos... ● Need for CORS.
    • Same Origin Policy : “The same-origin policy restricts how a document or script loaded from one origin can interact with a resource from another origin.” - MDN (https://developer.mozilla.org)
    • General Principle: Origin: Defined by scheme, host and port of a URL http://doepud.co.uk/blog/anatomy-of-a-url
    • Eg: http://store.company.com/dir/page.html https://developer.mozilla.org/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript
    • FYI - IE Exceptions ● Trust Zones:If both domains are in highly trusted zone, then the same origin limitations are not applied. ● Port : IE doesn't include port into Same Origin component so http://example.com:80/abc & http://example.com:8080/xyz are considered from the same origin. [ Non-standard and not supported in any of other browsers]
    • Same Origin Policy Changing Origin: ● A page may change its own origin to a suffix of its current domain. ● But it cannot set its document.domain to another domain.
    • Demo.
    • Same Origin Policy Cross-Origin Network Access: ✔ Cross-Origin writes are allowed. (Examples are links, redirects and form sumissions) ✔ Cross-Origin embedding is allowed. ✗ Cross-Origin reads are not allowed.
    • Same Origin Policy Cross-Origin Embedding: ● JavaScript with <script src="..."></script>. ● CSS with <link rel="stylesheet" href="..."> ● Images with <img>. ● Media files with <video> and <audio>. ● Plug-ins with <object>, <embed> and <applet>. ● Anything with <frame> and <iframe> * Mitigation : X-Frame-Options header. Reference : https://developer.mozilla.org/en- US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript
    • How to block cross-origin access : ➢ To prevent cross-origin writes, use a random token. ➢To prevent cross-origin reads of a resource, ensure that it is not embeddable. Reference : https://developer.mozilla.org/en- US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript
    • How to allow cross-Origin access. CORS (To be continued...)
    • References. ● https://developer.mozilla.org/ ● http://www.w3.org/Security/wiki/Same_Origin_Policy ●http://www.slideshare.net/null0x00/cors-and-insecurity - By Riyaz Walikar