HTML5 security

571 views

Published on

A mid-level managers talk about the new capabilities in HTML5 and what to watch out for security-wise.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
571
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

HTML5 security

  1. 1. HTML5 SecurityWilliam J. EdneyTechnical Pursuit Inc.Thursday, May 16, 13
  2. 2. William J. Edney Technical Pursuit Inc.Clarification• Much of what is termed “HTML5”, insofaras new programming capability isconcerned, is really not HTML. It is reallymore JavaScript API added to the browser.Thursday, May 16, 13
  3. 3. William J. Edney Technical Pursuit Inc.“Hot button” issue• Much of ‘external facing’ computing is doneon the Web these days• E-commerce• Customer care• Partner collaborationThursday, May 16, 13
  4. 4. William J. Edney Technical Pursuit Inc.What hasn’t changed:Same Origin Model• Core of web security• Same host• Same protocol• Same port• XMLHTTPRequest is bound by this modelThursday, May 16, 13
  5. 5. William J. Edney Technical Pursuit Inc.What hasn’t changed:Extensions / addons• Browsers can get access to:• Bookmarks• File system• Cross-origin XHR• Require extra user permission to installThursday, May 16, 13
  6. 6. William J. Edney Technical Pursuit Inc.“HTML5” additions• Cross-Origin Resource Sharing (CORS)• [Web, DOM, Local] Storage• Indexed DB (supplants WebDB)• Offline Apps (‘HTML5 manifest’)• Geolocation API• Downloadable FontsThursday, May 16, 13
  7. 7. William J. Edney Technical Pursuit Inc.“HTML5” additions• Cross-window messaging (‘postMessage’)• Filesystem APIs• Device APIs (Camera, GPS, etc.)Thursday, May 16, 13
  8. 8. William J. Edney Technical Pursuit Inc.Future• Web Crypto• Web Real Time Communication (WebRTC)• Today in Chrome and FirefoxThursday, May 16, 13
  9. 9. William J. Edney Technical Pursuit Inc.Relaxing same-origin• document.domain property• siteA.foo.com and siteB.foo.com canbecome ‘foo.com’ and communicate• JSONP• HTML5: CORS• HTML5: postMessage()Thursday, May 16, 13
  10. 10. William J. Edney Technical Pursuit Inc.Core issues• No fine-grained security model• ‘Same origin’ policy is the master for theforeseeable future• Some APIs prompt the user for permission• Users are becoming overwhelmedThursday, May 16, 13
  11. 11. William J. Edney Technical Pursuit Inc.API Recommendations• CORS• For intranet/extranet data-sharing, usespecific domains - not“Access-Control-Allow-Origin: *”• [Web, DOM, Local] Storage• Use encryption, if availableThursday, May 16, 13
  12. 12. William J. Edney Technical Pursuit Inc.API Recommendations• IndexedDB• Use encryption, if available• Offline Apps• Geolocation API• Intranet/Extranet: Use sparinglyThursday, May 16, 13
  13. 13. William J. Edney Technical Pursuit Inc.API Recommendations• Downloadable fonts:• Intranet/Extranet: Don’t use them• Cross-window messaging (‘postMessage’)• Intranet/Extranet: Use sparinglyThursday, May 16, 13
  14. 14. William J. Edney Technical Pursuit Inc.API Recommendations• Filesystem APIs• Intranet/Extranet: Don’t use them• Device APIs• Intranet/Extranet: Use sparingly• x-frame-options HTTP headerThursday, May 16, 13
  15. 15. William J. Edney Technical Pursuit Inc.Future• W3C has begun work on the “ContentSecurity Policy”• Fine-grained, cross API, securitymechanism• Currently a candidate recommendationThursday, May 16, 13
  16. 16. William J. Edney Technical Pursuit Inc.Organizational policies• Use different browsers (or browserprofiles) for tasks requiring different levelsof security• IE for work, FF for play / personal• Use work machine / browser only for work• Use own device for personalThursday, May 16, 13
  17. 17. William J. Edney Technical Pursuit Inc.Conclusion• Browsers are becoming more powerful• Users will upgrade• Users will find ways around your attemptsto prevent them from upgrading• As with much of IT security, the realsolution lies in education and organizationalpolicyThursday, May 16, 13
  18. 18. William J. Edney Technical Pursuit Inc.Questions?• Thanks!Thursday, May 16, 13

×