Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Security Risks of HTML5 Development

Posted by samzenpus on from the protect-ya-neck dept.

CowboyRobot writes "Local storage is a big change from HTML of the past, where browsers could only use cookies to store small bits of information, such as session tokens, for managing identity. HTML5 changes this with sessionStorage, localStorage, and client-side databases to allow developers to store vast amounts of data in the browser that is all accessible from JavaScript. An attacker could retrieve this data or manipulate the data, which would then get used again later by the application and may be uploaded back to the server to attack others, as well. Another risk comes from using 3rd-party code. Until HTML5, JavaScript was limited to requesting resources from the domain from which it was loaded, but with the addition of cross-origin resource sharing (CORS), this has been changed to allow JavaScript to request resources from different domains. This offers increased functionality but requires strict usage policies or risks being abused."

4 of 275 comments (clear)

  1. Nothing new by Urd.Yggdrasil · · Score: 5, Insightful

    Half the web developers out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web development. As with adding any other new development feature, it's just giving people who don't know any better more ammunition to shoot themselves in the foot with. There needs to be more focus on educating developers on security instead of trying to cram every new buzzword tech they can into their application.

    1. Re:Nothing new by digitalchinky · · Score: 5, Insightful

      You could also argue that contractors who shop around for the cheapest / fastest deal possible get exactly what they pay for. You want quality work, you have to pay for it, just like in every other industry.

  2. then stop hijacking phrases from other industries by Anonymous Coward · · Score: 5, Funny

    developer, before the rise of the cyber-douchebag, was someone who built houses for people to live in, or maybe a shopping center or something.

    engineer, before the rise of the cyber-douchebag, was someone who had to get a license in order to build machines that might hurt people if designed wrong

    programmer, before the rise of the cyber-douchebag, used to be happy with their good pay and didnt need to call themselves something they werenrt.

  3. Re:Real developers don't do web development by OG · · Score: 5, Interesting

    Not true at all. I've been programming since I was 6 (now 37), have a degree in CS, and spent the first 13 years of my post-college career doing C++ programming. I transitioned to web development because I find it interesting. I work with other highly intelligent, skilled web developers. Web development has moved beyond putting together a blog. Some people, such as myself, think the challenges involved in putting together a scalable, responsive, functional, secure web app are interesting, and after reaching a bit of burnout in my C++, I feel a bit renewed. Not to mention the fact that learning how best to utilize a new set of languages and technologies has made me a better programmer all around, even benefitting the times I need to switch back to C++ mode.