Further to my previous notes about HTML 5 security, a superb reference document was published earlier this month.
HTML5 Web Security describes issues, vulnerabilities, threat & attack scenarios and countermeasures across 80 pages including numerous well thought-out diagrams, and is backed up with detailed references and an appendix full of attack details.
The main sections are:
- 2.2 Cross-origin resource sharing
- 2.3 Web storage
- 2.4 Offline web application
- 2.5 Web messaging
- 2.6 Custom scheme and content handlers
- 2.7 Web sockets API
- 2.8 Geolocation API
- 2.9 Implicit relevant features of HTML5
Web workers, new elements, attributes and CSS, Iframe sandboxing and server-sent events
If you are already developing HTML, or planning to, read this document as soon as possible and update your requirements documents, specifications, design documents, coding standards, and test plans to incorporate the knowledge.
The document would be worth buying if it were a book, but it has generously been made available publicly. Yes, I am still reading the document, and so far have only one very minor complaint — it would be good to have a content list. Maybe in version 1.1?
Posted on: 27 December 2011 at 09:07 hrs