A mid-level managers talk about the new capabilities in HTML5 and what to watch out for security-wise.

1. HTML5 Security
William J. Edney
Technical Pursuit Inc.
Thursday, May 16, 13

2. William J. Edney Technical Pursuit Inc.
Clarification
• Much of what is termed “HTML5”, insofar
as new programming capability is
concerned, is really not HTML. It is really
more JavaScript API added to the browser.
Thursday, May 16, 13

3. William J. Edney Technical Pursuit Inc.
“Hot button” issue
• Much of ‘external facing’ computing is done
on the Web these days
• E-commerce
• Customer care
• Partner collaboration
Thursday, May 16, 13

4. William J. Edney Technical Pursuit Inc.
What hasn’t changed:
Same Origin Model
• Core of web security
• Same host
• Same protocol
• Same port
• XMLHTTPRequest is bound by this model
Thursday, May 16, 13

5. William J. Edney Technical Pursuit Inc.
What hasn’t changed:
Extensions / addons
• Browsers can get access to:
• Bookmarks
• File system
• Cross-origin XHR
• Require extra user permission to install
Thursday, May 16, 13

6. William J. Edney Technical Pursuit Inc.
“HTML5” additions
• Cross-Origin Resource Sharing (CORS)
• [Web, DOM, Local] Storage
• Indexed DB (supplants WebDB)
• Offline Apps (‘HTML5 manifest’)
• Geolocation API
• Downloadable Fonts
Thursday, May 16, 13

7. William J. Edney Technical Pursuit Inc.
“HTML5” additions
• Cross-window messaging (‘postMessage’)
• Filesystem APIs
• Device APIs (Camera, GPS, etc.)
Thursday, May 16, 13

8. William J. Edney Technical Pursuit Inc.
Future
• Web Crypto
• Web Real Time Communication (WebRTC)
• Today in Chrome and Firefox
Thursday, May 16, 13

9. William J. Edney Technical Pursuit Inc.
Relaxing same-origin
• document.domain property
• siteA.foo.com and siteB.foo.com can
become ‘foo.com’ and communicate
• JSONP
• HTML5: CORS
• HTML5: postMessage()
Thursday, May 16, 13

10. William J. Edney Technical Pursuit Inc.
Core issues
• No fine-grained security model
• ‘Same origin’ policy is the master for the
foreseeable future
• Some APIs prompt the user for permission
• Users are becoming overwhelmed
Thursday, May 16, 13

11. William J. Edney Technical Pursuit Inc.
API Recommendations
• CORS
• For intranet/extranet data-sharing, use
specific domains - not
“Access-Control-Allow-Origin: *”
• [Web, DOM, Local] Storage
• Use encryption, if available
Thursday, May 16, 13

12. William J. Edney Technical Pursuit Inc.
API Recommendations
• IndexedDB
• Use encryption, if available
• Offline Apps
• Geolocation API
• Intranet/Extranet: Use sparingly
Thursday, May 16, 13

13. William J. Edney Technical Pursuit Inc.
API Recommendations
• Downloadable fonts:
• Intranet/Extranet: Don’t use them
• Cross-window messaging (‘postMessage’)
• Intranet/Extranet: Use sparingly
Thursday, May 16, 13

14. William J. Edney Technical Pursuit Inc.
API Recommendations
• Filesystem APIs
• Intranet/Extranet: Don’t use them
• Device APIs
• Intranet/Extranet: Use sparingly
• x-frame-options HTTP header
Thursday, May 16, 13

15. William J. Edney Technical Pursuit Inc.
Future
• W3C has begun work on the “Content
Security Policy”
• Fine-grained, cross API, security
mechanism
• Currently a candidate recommendation
Thursday, May 16, 13

16. William J. Edney Technical Pursuit Inc.
Organizational policies
• Use different browsers (or browser
profiles) for tasks requiring different levels
of security
• IE for work, FF for play / personal
• Use work machine / browser only for work
• Use own device for personal
Thursday, May 16, 13

17. William J. Edney Technical Pursuit Inc.
Conclusion
• Browsers are becoming more powerful
• Users will upgrade
• Users will find ways around your attempts
to prevent them from upgrading
• As with much of IT security, the real
solution lies in education and organizational
policy
Thursday, May 16, 13

18. William J. Edney Technical Pursuit Inc.
Questions?
• Thanks!
Thursday, May 16, 13