HTML5 security

•

0 likes•600 views

bedney

A mid-level managers talk about the new capabilities in HTML5 and what to watch out for security-wise.

Technology

HTML5 Security
William J. Edney
Technical Pursuit Inc.
Thursday, May 16, 13

William J. Edney Technical Pursuit Inc.
Clariﬁcation
• Much of what is termed “HTML5”, insofar
as new programming capability is
concerned, is really not HTML. It is really
more JavaScript API added to the browser.
Thursday, May 16, 13

William J. Edney Technical Pursuit Inc.
“Hot button” issue
• Much of ‘external facing’ computing is done
on the Web these days
• E-commerce
• Customer care
• Partner collaboration
Thursday, May 16, 13

William J. Edney Technical Pursuit Inc.
What hasn’t changed:
Same Origin Model
• Core of web security
• Same host
• Same protocol
• Same port
• XMLHTTPRequest is bound by this model
Thursday, May 16, 13

William J. Edney Technical Pursuit Inc.
What hasn’t changed:
Extensions / addons
• Browsers can get access to:
• Bookmarks
• File system
• Cross-origin XHR
• Require extra user permission to install
Thursday, May 16, 13

William J. Edney Technical Pursuit Inc.
“HTML5” additions
• Cross-Origin Resource Sharing (CORS)
• [Web, DOM, Local] Storage
• Indexed DB (supplants WebDB)
• Ofﬂine Apps (‘HTML5 manifest’)
• Geolocation API
• Downloadable Fonts
Thursday, May 16, 13

William J. Edney Technical Pursuit Inc.
“HTML5” additions
• Cross-window messaging (‘postMessage’)
• Filesystem APIs
• Device APIs (Camera, GPS, etc.)
Thursday, May 16, 13

William J. Edney Technical Pursuit Inc.
Future
• Web Crypto
• Web Real Time Communication (WebRTC)
• Today in Chrome and Firefox
Thursday, May 16, 13

William J. Edney Technical Pursuit Inc.
Relaxing same-origin
• document.domain property
• siteA.foo.com and siteB.foo.com can
become ‘foo.com’ and communicate
• JSONP
• HTML5: CORS
• HTML5: postMessage()
Thursday, May 16, 13

William J. Edney Technical Pursuit Inc.
Core issues
• No ﬁne-grained security model
• ‘Same origin’ policy is the master for the
foreseeable future
• Some APIs prompt the user for permission
• Users are becoming overwhelmed
Thursday, May 16, 13

William J. Edney Technical Pursuit Inc.
API Recommendations
• CORS
• For intranet/extranet data-sharing, use
speciﬁc domains - not
“Access-Control-Allow-Origin: *”
• [Web, DOM, Local] Storage
• Use encryption, if available
Thursday, May 16, 13

William J. Edney Technical Pursuit Inc.
API Recommendations
• IndexedDB
• Use encryption, if available
• Ofﬂine Apps
• Geolocation API
• Intranet/Extranet: Use sparingly
Thursday, May 16, 13

William J. Edney Technical Pursuit Inc.
API Recommendations
• Downloadable fonts:
• Intranet/Extranet: Don’t use them
• Cross-window messaging (‘postMessage’)
• Intranet/Extranet: Use sparingly
Thursday, May 16, 13

William J. Edney Technical Pursuit Inc.
API Recommendations
• Filesystem APIs
• Intranet/Extranet: Don’t use them
• Device APIs
• Intranet/Extranet: Use sparingly
• x-frame-options HTTP header
Thursday, May 16, 13

William J. Edney Technical Pursuit Inc.
Future
• W3C has begun work on the “Content
Security Policy”
• Fine-grained, cross API, security
mechanism
• Currently a candidate recommendation
Thursday, May 16, 13

William J. Edney Technical Pursuit Inc.
Organizational policies
• Use different browsers (or browser
proﬁles) for tasks requiring different levels
of security
• IE for work, FF for play / personal
• Use work machine / browser only for work
• Use own device for personal
Thursday, May 16, 13

William J. Edney Technical Pursuit Inc.
Conclusion
• Browsers are becoming more powerful
• Users will upgrade
• Users will ﬁnd ways around your attempts
to prevent them from upgrading
• As with much of IT security, the real
solution lies in education and organizational
policy
Thursday, May 16, 13

William J. Edney Technical Pursuit Inc.
Questions?
• Thanks!
Thursday, May 16, 13

Similar to HTML5 security

ClubAJAX Basics - Server Communication

Mike Wilcox

Datasets, APIs, and Web Scraping

Damian T. Gordon

Drawing the Line with Browser Compatibility

jsmith92

Stabilising a large ibm connections environment

Martijn de Jong

Frontend State of the union

Filip Bruun Bech-Larsen

Firefox OS Workshop @ Serbia & Montenegro - Training

Jan Jongboom

A new breed of mobile devices with sophisticated processors and ample storage has given rise to sophisticated applications that move more and more data and business logic to devices. The result is significant and potentially dangerous security challenges, especially for location-aware mobile applications and those storing sensitive or valuable data on devices. To counter these risks, Johannes Ullrich introduces and demonstrates design strategies you can use to mitigate these risks and make applications safer and less vulnerable. Johannes illustrates design patterns to: co-validate data on both the client and server; authenticate transactions on the server; and store only authenticated and access-controlled data on the client. Learn to apply these solutions without losing access to powerful HTML5 JavaScript APIs such as those required for location-based mobile applications. Johannes shares the source code of a location-based mobile application used to organize the cataloging of historic buildings.

Danger! Danger! Your Mobile Applications Are Not Secure

TechWell

Html5 Application Security

chuckbt

CohesiveFT: Get started with public cloud It's time to explore the public cloud. Get familiar with Amazon's AWS EC2 compute and S3 storage. Demo and guides will prep you to do big things with hosting for your websites and apps! Part 1 Cloud & Virtualization: Welcome! We'll run through the basics of public vs. private cloud, the cloud marketplace, and why we picked AWS to demonstrate Hosted by: Ryan Koop, Director of Marketing

CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...

Ryan Koop

The Future of the web

Filip Bruun Bech-Larsen

Codestrong 2012 breakout session introduction to mobile web and best practices

Axway Appcelerator

Future of the Web

Filip Bruun Bech-Larsen

A Brave New World

SensePost

Frontend development of the (current) future

Filip Bruun Bech-Larsen

Building iPhone/Andriod Apps with Titanium Appcelerator for a Rails Backend

Andrew Chalkley

Presented by Vivek Thuravupala, Software Engineer @ Postman in joint meetup in Walmart on 28th April, BLR. Abstract: We'll talk about the exploding usage of APIs and why security shouldn't be an afterthought when it comes to designing and building APIs. We'll also run through some concrete examples illustrating common pitfalls encountered while design/building. About the speaker: Vivek builds stuff for the web, and he's been swimming around in various tech ponds since he was a kid. At Postman, he keeps an eye on a bunch of the user-facing products.

Designing & Building Secure Web APIs

CodeOps Technologies LLP

Mobile code mining for discovery and exploits nullcongoa2013

Blueinfy Solutions

Ch 10: Hacking Web Servers

Sam Bowne

The 3 Top Techniques for Web Security Testing Using a Proxy

TEST Huddle

This covers some basic major components of the Android Open Source Platform, including: - AOSP's vs Linux - AOSP kernel vs Linux kernel differences - AOSP init.rc files - AOSP source code organization - AOSP run-time filesystem - AOSP build system - Basics of zygote, system services, and Binder-based IPC Presented at DC Android Meetup Oct 2015 http://www.meetup.com/DCAndroid/events/225802229/

Fast-paced Introduction to Android Internals

Hamilton Turner

Similar to HTML5 security (20)

ClubAJAX Basics - Server Communication

Datasets, APIs, and Web Scraping

Drawing the Line with Browser Compatibility

Stabilising a large ibm connections environment

Frontend State of the union

Firefox OS Workshop @ Serbia & Montenegro - Training

Danger! Danger! Your Mobile Applications Are Not Secure

Html5 Application Security

CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...

The Future of the web

Codestrong 2012 breakout session introduction to mobile web and best practices

Future of the Web

A Brave New World

Frontend development of the (current) future

Building iPhone/Andriod Apps with Titanium Appcelerator for a Rails Backend

Designing & Building Secure Web APIs

Mobile code mining for discovery and exploits nullcongoa2013

Ch 10: Hacking Web Servers

The 3 Top Techniques for Web Security Testing Using a Proxy

Fast-paced Introduction to Android Internals

Recently uploaded

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

CNv6 Instructor Chapter 6 Quality of Service

giselly40

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

BooK Now Call us at +918448380779 to hire a gorgeous and seductive call girl for sex. Take a Delhi Escort Service. The help of our escort agency is mostly meant for men who want sexual Indian Escorts In Delhi NCR. It should be noted that any impersonator will get 100 attention from our Young Girls Escorts in Delhi. They will assume the position of reliable allies. VIP Call Girl With Original Photos Book Tonight +918448380779 Our Cheap Price 1 Hour not available 2 Hours 5000 Full Night 8000 TAG: Call Girls in Delhi, Noida, Gurgaon, Ghaziabad, Connaught Place, Greater Kailash Delhi, Lajpat Nagar Delhi, Mayur Vihar Delhi, Chanakyapuri Delhi, New Friends Colony Delhi, Majnu Ka Tilla, Karol Bagh, Malviya Nagar, Saket, Khan Market, Noida Sector 18, Noida Sector 76, Noida Sector 51, Gurgaon Mg Road, Iffco Chowk Gurgaon, Rajiv Chowk Gurgaon All Delhi Ncr Free Home Deliver

08448380779 Call Girls In Civil Lines Women Seeking Men

Delhi Call girls

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

[2024]Digital Global Overview Report 2024 Meltwater.pdf

hans926745

08448380779 Call Girls In Greater Kailash - I Women Seeking Men

Delhi Call girls

What is a good lead in your organisation? Which leads are priority? What happens to leads? When sales and marketing give different answers to these questions, or perhaps aren't sure of the answers at all, frustrations build and opportunities are left on the table. Join us for an illuminating session with Cian McLoughlin, HubSpot Principal Customer Success Manager, as we look at that crucial piece of the customer journey in which leads are transferred from marketing to sales.

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

HampshireHUG

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

The Raspberry Pi 5 was announced on October 2023. This new version of the popular embedded device comes with a new iteration of Broadcom’s VideoCore GPU platform, and was released with a fully open source driver stack, developed by Igalia. The presentation will discuss some of the major changes required to support this new Video Core iteration, the challenges we faced in the process and the solutions we provided in order to deliver conformant OpenGL ES and Vulkan drivers. The talk will also cover the next steps for the open source Raspberry Pi 5 graphics stack. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://eoss24.sched.com/event/1aBEx

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...

Igalia

How to convert PDF to text with Nanonets

naman860154

What are drone anti-jamming systems? The drone anti-jamming systems and anti-spoof technology protect against interference, jamming, and spoofing of the UAVs. To protect their security, countries are beginning to research drone anti-jamming systems, also known as drone strike weapons. The anti-jam and anti-spoof technology protects against interference, jamming and spoofing. A drone strike weapon is a drone attack weapon that can attack and destroy enemy drones. So what is so unique about this amazing system?

What Are The Drone Anti-jamming Systems Technology?

Antenna Manufacturer Coco

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

Tech Trends Report 2024 Future Today Institute.pdf

hans926745

Sara Mae O’Brien Scott and Tatiana Baquero Cakici, Senior Consultants at Enterprise Knowledge (EK), presented “AI Fast Track to Search-Focused AI Solutions” at the Information Architecture Conference (IAC24) that took place on April 11, 2024 in Seattle, WA. In their presentation, O’Brien-Scott and Cakici focused on what Enterprise AI is, why it is important, and what it takes to empower organizations to get started on a search-based AI journey and stay on track. The presentation explored the complexities of enterprise search challenges and how IA principles can be leveraged to provide AI solutions through the use of a semantic layer. O’Brien-Scott and Cakici showcased a case study where a taxonomy, an ontology, and a knowledge graph were used to structure content at a healthcare workforce solutions organization, providing personalized content recommendations and increasing content findability. In this session, participants gained insights about the following: Most common types of AI categories and use cases; Recommended steps to design and implement taxonomies and ontologies, ensuring they evolve effectively and support the organization’s search objectives; Taxonomy and ontology design considerations and best practices; Real-world AI applications that illustrated the value of taxonomies, ontologies, and knowledge graphs; and Tools, roles, and skills to design and implement AI-powered search solutions.

IAC 2024 - IA Fast Track to Search Focused AI Solutions

Enterprise Knowledge

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Handwritten Text Recognition for manuscripts and early printed texts

Maria Levchenko

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors

presentation ICT roal in 21st century education

CNv6 Instructor Chapter 6 Quality of Service

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

08448380779 Call Girls In Civil Lines Women Seeking Men

Partners Life - Insurer Innovation Award 2024

[2024]Digital Global Overview Report 2024 Meltwater.pdf

08448380779 Call Girls In Greater Kailash - I Women Seeking Men

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

The 7 Things I Know About Cyber Security After 25 Years | April 2024

How to Troubleshoot Apps for the Modern Connected Worker

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...

How to convert PDF to text with Nanonets

What Are The Drone Anti-jamming Systems Technology?

Axa Assurance Maroc - Insurer Innovation Award 2024

Artificial Intelligence: Facts and Myths

Tech Trends Report 2024 Future Today Institute.pdf

IAC 2024 - IA Fast Track to Search Focused AI Solutions

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Handwritten Text Recognition for manuscripts and early printed texts

HTML5 security

1. HTML5 Security William J. Edney Technical Pursuit Inc. Thursday, May 16, 13

2. William J. Edney Technical Pursuit Inc. Clariﬁcation • Much of what is termed “HTML5”, insofar as new programming capability is concerned, is really not HTML. It is really more JavaScript API added to the browser. Thursday, May 16, 13

3. William J. Edney Technical Pursuit Inc. “Hot button” issue • Much of ‘external facing’ computing is done on the Web these days • E-commerce • Customer care • Partner collaboration Thursday, May 16, 13

4. William J. Edney Technical Pursuit Inc. What hasn’t changed: Same Origin Model • Core of web security • Same host • Same protocol • Same port • XMLHTTPRequest is bound by this model Thursday, May 16, 13

5. William J. Edney Technical Pursuit Inc. What hasn’t changed: Extensions / addons • Browsers can get access to: • Bookmarks • File system • Cross-origin XHR • Require extra user permission to install Thursday, May 16, 13

6. William J. Edney Technical Pursuit Inc. “HTML5” additions • Cross-Origin Resource Sharing (CORS) • [Web, DOM, Local] Storage • Indexed DB (supplants WebDB) • Ofﬂine Apps (‘HTML5 manifest’) • Geolocation API • Downloadable Fonts Thursday, May 16, 13

7. William J. Edney Technical Pursuit Inc. “HTML5” additions • Cross-window messaging (‘postMessage’) • Filesystem APIs • Device APIs (Camera, GPS, etc.) Thursday, May 16, 13

8. William J. Edney Technical Pursuit Inc. Future • Web Crypto • Web Real Time Communication (WebRTC) • Today in Chrome and Firefox Thursday, May 16, 13

9. William J. Edney Technical Pursuit Inc. Relaxing same-origin • document.domain property • siteA.foo.com and siteB.foo.com can become ‘foo.com’ and communicate • JSONP • HTML5: CORS • HTML5: postMessage() Thursday, May 16, 13

10. William J. Edney Technical Pursuit Inc. Core issues • No ﬁne-grained security model • ‘Same origin’ policy is the master for the foreseeable future • Some APIs prompt the user for permission • Users are becoming overwhelmed Thursday, May 16, 13

11. William J. Edney Technical Pursuit Inc. API Recommendations • CORS • For intranet/extranet data-sharing, use speciﬁc domains - not “Access-Control-Allow-Origin: *” • [Web, DOM, Local] Storage • Use encryption, if available Thursday, May 16, 13

12. William J. Edney Technical Pursuit Inc. API Recommendations • IndexedDB • Use encryption, if available • Ofﬂine Apps • Geolocation API • Intranet/Extranet: Use sparingly Thursday, May 16, 13

13. William J. Edney Technical Pursuit Inc. API Recommendations • Downloadable fonts: • Intranet/Extranet: Don’t use them • Cross-window messaging (‘postMessage’) • Intranet/Extranet: Use sparingly Thursday, May 16, 13

14. William J. Edney Technical Pursuit Inc. API Recommendations • Filesystem APIs • Intranet/Extranet: Don’t use them • Device APIs • Intranet/Extranet: Use sparingly • x-frame-options HTTP header Thursday, May 16, 13

15. William J. Edney Technical Pursuit Inc. Future • W3C has begun work on the “Content Security Policy” • Fine-grained, cross API, security mechanism • Currently a candidate recommendation Thursday, May 16, 13

16. William J. Edney Technical Pursuit Inc. Organizational policies • Use different browsers (or browser proﬁles) for tasks requiring different levels of security • IE for work, FF for play / personal • Use work machine / browser only for work • Use own device for personal Thursday, May 16, 13

17. William J. Edney Technical Pursuit Inc. Conclusion • Browsers are becoming more powerful • Users will upgrade • Users will ﬁnd ways around your attempts to prevent them from upgrading • As with much of IT security, the real solution lies in education and organizational policy Thursday, May 16, 13

18. William J. Edney Technical Pursuit Inc. Questions? • Thanks! Thursday, May 16, 13

HTML5 security

Recommended

Recommended

More Related Content

Similar to HTML5 security

Similar to HTML5 security (20)

Recently uploaded

Recently uploaded (20)

HTML5 security