Your SlideShare is downloading. ×
0
HTML5 Security For Beginners
HTML5 Security For Beginners
HTML5 Security For Beginners
HTML5 Security For Beginners
HTML5 Security For Beginners
HTML5 Security For Beginners
HTML5 Security For Beginners
HTML5 Security For Beginners
HTML5 Security For Beginners
HTML5 Security For Beginners
HTML5 Security For Beginners
HTML5 Security For Beginners
HTML5 Security For Beginners
HTML5 Security For Beginners
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

HTML5 Security For Beginners

7,176

Published on

A null Pune presentation on HTML5 Security For Beginners

A null Pune presentation on HTML5 Security For Beginners

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
7,176
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. HTML 5 Security for beginners.
  2. L 101 : Same Origin Policy
  3. Agenda: (Lesson 101) ● Same Origin Policy. ● Demos... ● Need for CORS.
  4. Same Origin Policy : “The same-origin policy restricts how a document or script loaded from one origin can interact with a resource from another origin.” - MDN (https://developer.mozilla.org)
  5. General Principle: Origin: Defined by scheme, host and port of a URL http://doepud.co.uk/blog/anatomy-of-a-url
  6. Eg: http://store.company.com/dir/page.html https://developer.mozilla.org/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript
  7. FYI - IE Exceptions ● Trust Zones:If both domains are in highly trusted zone, then the same origin limitations are not applied. ● Port : IE doesn't include port into Same Origin component so http://example.com:80/abc & http://example.com:8080/xyz are considered from the same origin. [ Non-standard and not supported in any of other browsers]
  8. Same Origin Policy Changing Origin: ● A page may change its own origin to a suffix of its current domain. ● But it cannot set its document.domain to another domain.
  9. Demo.
  10. Same Origin Policy Cross-Origin Network Access: ✔ Cross-Origin writes are allowed. (Examples are links, redirects and form sumissions) ✔ Cross-Origin embedding is allowed. ✗ Cross-Origin reads are not allowed.
  11. Same Origin Policy Cross-Origin Embedding: ● JavaScript with <script src="..."></script>. ● CSS with <link rel="stylesheet" href="..."> ● Images with <img>. ● Media files with <video> and <audio>. ● Plug-ins with <object>, <embed> and <applet>. ● Anything with <frame> and <iframe> * Mitigation : X-Frame-Options header. Reference : https://developer.mozilla.org/en- US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript
  12. How to block cross-origin access : ➢ To prevent cross-origin writes, use a random token. ➢To prevent cross-origin reads of a resource, ensure that it is not embeddable. Reference : https://developer.mozilla.org/en- US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript
  13. How to allow cross-Origin access. CORS (To be continued...)
  14. References. ● https://developer.mozilla.org/ ● http://www.w3.org/Security/wiki/Same_Origin_Policy ●http://www.slideshare.net/null0x00/cors-and-insecurity - By Riyaz Walikar

×