Forgot your password?
typodupeerror
Programming Security

The Security Risks of HTML5 Development 275

Posted by samzenpus
from the protect-ya-neck dept.
CowboyRobot writes "Local storage is a big change from HTML of the past, where browsers could only use cookies to store small bits of information, such as session tokens, for managing identity. HTML5 changes this with sessionStorage, localStorage, and client-side databases to allow developers to store vast amounts of data in the browser that is all accessible from JavaScript. An attacker could retrieve this data or manipulate the data, which would then get used again later by the application and may be uploaded back to the server to attack others, as well. Another risk comes from using 3rd-party code. Until HTML5, JavaScript was limited to requesting resources from the domain from which it was loaded, but with the addition of cross-origin resource sharing (CORS), this has been changed to allow JavaScript to request resources from different domains. This offers increased functionality but requires strict usage policies or risks being abused."
This discussion has been archived. No new comments can be posted.

The Security Risks of HTML5 Development

Comments Filter:
  • Javascript (Score:2, Insightful)

    by Anonymous Coward

    Where remote code execution is by design.

    • JavaScript: Where each web site has its own user account.

      Web browsers are designed to handle the privilege separation in JavaScript the way operating systems handle user accounts. Each origin has its own account, and origins can't access resources associated with a different origin unless the owner of the different origin has opted into sharing the resource (CORS). Ideally, browser publishers treat violations of origin separation as seriously as OS publishers treat violations of user separation.

      • by AuMatar (183847)

        Wait- why do the sites get to control this, rather than the user? If the sites get to specify who can share, that's a massive hole for tracking the way ad companies use cookies.

        • by tepples (727027)

          Wait- why do the sites get to control this, rather than the user?

          The user controls this by using browser preferences and browser extensions.

      • As far as I can tell, the goal of CORS was purely to prevent someone from repurposing your browser when you visit site X and using your existing SSO/cookies to make authenticated AJAX calls to site Y.

        It doesn't set out to address data-leakage that can occur from script injection into Y, where AJAX calls to X might be embedded so as to export your private data (you can guarantee site X will set a * allow-origin header, and Y's opinion is not sought.)
        It also doesn't prevent attacks from random web clients who

        • Nothing prevents you from setting up a proxy-server that changes the origin headers, to grant the whole Internet access to a resource someone wanted to be "only from their own website".

          Copyright does if any of these resources qualifies as an original work of authorship. The use of CORS to control access to web fonts is an intentional example of this.

      • "Each origin has its own account, and origins can't access resources associated with a different origin unless the owner of the different origin has opted into sharing the resource (CORS). "

        Big f*ing deal. This should be directly controllable by the end user, not just by the "origins". After all, it's the user's computer.

        "Ideally, browser publishers treat violations of origin separation as seriously as OS publishers treat violations of user separation. "

        THE HELL WITH "IDEALLY". You know that won't happen in many cases.

    • Applications- where code execution is expected.
  • Nothing new (Score:5, Insightful)

    by Urd.Yggdrasil (1127899) on Monday June 24, 2013 @04:15AM (#44090361)
    Half the web developers out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web development. As with adding any other new development feature, it's just giving people who don't know any better more ammunition to shoot themselves in the foot with. There needs to be more focus on educating developers on security instead of trying to cram every new buzzword tech they can into their application.
    • Re:Nothing new (Score:5, Insightful)

      by digitalchinky (650880) <dtchky@gmail.com> on Monday June 24, 2013 @04:25AM (#44090375)

      You could also argue that contractors who shop around for the cheapest / fastest deal possible get exactly what they pay for. You want quality work, you have to pay for it, just like in every other industry.

      • by jbolden (176878)

        Many other industries are regulated to insure that work meets certain quality standards. Further they often have professional associations with real teeth.

        • Many other industries are regulated to insure that work meets certain quality standards. Further they often have professional associations with real teeth.

          While that is to a certain extent true; the real value of regulation is limiting competition by requiring licensure and often educational requirements to get and maintain a license.

          • Re: (Score:2, Insightful)

            by Anonymous Coward

            While that is to a certain extent true; the real value of regulation is limiting competition by requiring licensure and often educational requirements to get and maintain a license.

            The real purpose of regulation is so your fucking house doesn't burn down because someone who wasn't trained installed the wiring.

    • Re:Nothing new (Score:4, Insightful)

      by Cenan (1892902) on Monday June 24, 2013 @04:36AM (#44090409)

      I strongly object to using the word "developers" to describe people that are clearly fucking hacks. You don't become a doctor just because you use a scalpel to cut people open. Spade, meet shovel.

      Half the web hacks out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web hackery. As with adding any other new buzzword feature, it's just giving people who don't know any better more ammunition to shoot themselves in the foot with. There needs to be more focus on replacing hacks with real developers instead of trying to cram every new buzzword tech they can into their piece of shit application.

      • by Anonymous Coward on Monday June 24, 2013 @05:25AM (#44090541)

        developer, before the rise of the cyber-douchebag, was someone who built houses for people to live in, or maybe a shopping center or something.

        engineer, before the rise of the cyber-douchebag, was someone who had to get a license in order to build machines that might hurt people if designed wrong

        programmer, before the rise of the cyber-douchebag, used to be happy with their good pay and didnt need to call themselves something they werenrt.

        • by Cenan (1892902)

          Pining for the olden days is no solution. I think what we need is to recognize that creating and deploying software has consequences, and a such we need a developer license, similar to how being a surgeon or a lawyer requires a license. And we need to enforce it with hard jail time / labor camp, when yet another douchebag leaks half a million rows of user data because he copy-pastaed from Stack Exchange.

          • Labor camp, or any other similar phrases, are just another term for slavery.
            Slavery, forcing a person to work. Labor camp, forcing a person to work. Labor camp=slavery.

            Oh look, even Wikipedia [wikipedia.org] makes that point.

            The United States prison system is being called "a new form of inhumane exploitation." Current penal labor in the U.S., it adds, "has its roots on slavery."

            If you're a real communist you wouldn't be advocating for such shit.

            • by qbzzt (11136)

              Historically, communist regimes had no problem with using forced labor.

              Labor camp, or any other similar phrases, are just another term for slavery.
              Slavery, forcing a person to work. Labor camp, forcing a person to work. Labor camp=slavery.

              ...snip...

              If you're a real communist you wouldn't be advocating for such shit.

              • Historically, regimes that have claimed to be representing the workers, and to be moving towards communism (just as soon as they finished oppressing the bourgeoisie) had no problem with using forced labor.
                But the thing is, they never claimed that the place was communist, only that the party was, and that the country was in the transitional state.
                Total bullshit of course. Hence the use of the modifier "true" on "communist". A true communist being someone who actually desires a classless stateless society whe

                • by qbzzt (11136)

                  Yes. I think this falls under the "No True Scotsman", but I see how you could disagree.

                  • Yes. I think this falls under the "No True Scotsman"

                    Sort of, but not really, because Marx was fairly clear defining 'socialism' as a step towards 'communism.' The Soviets even stuck 'socialist' in their name, to make clear that they were moving towards communism, but hadn't made it yet. Briefly:

                    Communism = "To each according to his needs, from each according to his ability."
                    Socialism = "To each according to his contribution."

            • by Cenan (1892902)

              Labor camp, or [*snip*]

              I guess the "whoosh" meme would apply here, if it hadn't already been raped and beaten to death. Well, I guess it applies nonetheless, so there ya go: whoosh.

          • by Grishnakh (216268) on Monday June 24, 2013 @07:41AM (#44091185)

            Wrong. Why would anyone want to take on such a job?

            Surgeons and lawyers are very different professions: they own their own businesses, they're their own bosses, and they make a ton of money (unless they're in a junior position, but the career goal is to have your own practice, or be a "partner" in a top law firm which is mostly the same thing).

            Developers and other software people aren't their own bosses, unless they're contractors. They work for corporations, and are just paid employees, no different from secretaries or janitors. They have zero control over their own work and how they do it: they have to do whatever their boss tells them to. Why should a developer be responsible for something failing when he was directed to write it in a half-ass manner by his boss?

            • by Cenan (1892902)

              Why should a developer be responsible for something failing when he was directed to write it in a half-ass manner by his boss?

              Why should he or his boss be allowed off the hook when half a million records were just leaked? It's not so much about a license, that was an example, it is about enforcing due diligence in the business.

              For instance, if you want to run a restaurant, you have to get a permit and will be subject to control visits to ensure that you comply with basic guidelines for handling food. Anyone can cook, but to be able to serve your food to other people, you have to have a permit. Same thing should apply to developers

              • by Grishnakh (216268)

                Restaurant cooks don't have licenses. The restaurants themselves do, but the cooks and other low-level employees do not.

                So why are you trying to make the low-level employees bear all the responsibility, instead of their bosses and the corporations they work for?

                Software developers are just like line cooks; they have no say in anything, they don't get paid much (compared to the corporation executives), so why should they have to get licenses?

                • by Cenan (1892902)

                  Restaurant cooks don't have licenses. The restaurants themselves do, but the cooks and other low-level employees do not.

                  What's the difference? Either the cooks enforce the guidelines to avoid loosing their license, or the restaurant does. There is no practical difference from the view of the consumer. It is, as we would say, an implementation detail.

                  So why are you trying to make the low-level employees bear all the responsibility, instead of their bosses and the corporations they work for?

                  I'm not. Anyways, the question was asked an answered.

                  Software developers are just like line cooks

                  No, not any more or less than cooks are. In fact, you could probably find more self employed "developers" than cooks (discounting home cooking here), which is part of the overall problem. It is impossible to produce error free

                  • by Grishnakh (216268)

                    The difference is that, if you're a cook in some shitty restaurant where they don't keep stuff clean, and someone gets sick and sues the restaurant or the health board investigate, it's the restaurant and its owners who get in trouble, have to pay judgments, lose their food service license, etc. As a cook, you'll probably lose your job when the restaurant goes belly-up, but you can walk down the street to another restaurant and just get another job.

                    In your stupid world, software developers who are part of

                    • by Cenan (1892902)

                      The difference is that, if you're a cook in some shitty restaurant where they don't keep stuff clean, and someone gets sick and sues the restaurant or the health board investigate, it's the restaurant and its owners who get in trouble, have to pay judgments, lose their food service license, etc. As a cook, you'll probably lose your job when the restaurant goes belly-up, but you can walk down the street to another restaurant and just get another job.

                      Well sure, if we absolutely want to keep the analogy alive, I suppose you could see it that way. And then what happens? Is the cook not, in part, responsible for what happened at his former workplace? Unless he's the one who called the health board, he did nobody any good, but due to his willful ignorance, he may have caused harm. Why should he go free?

                      In your stupid world, software developers who are part of a team led by a shitty manager at a shitty company would be held personally liable for software defects, would have multi-million dollar judgments against them, and would never be able to work again after losing their license because of a mistake made by another team member, the boss's poor direction, the QA team's failure to catch the problem, or the upper management's failure to even have a QA team in the first place (they decided to lay off the QA department to save money and get a big bonus).

                      You aren't really arguing against what I said, you're just shuffling blame around between pretend people. And you do not have to chose either all black or al

                • The last two places I've lived cooks did have permits.
                  That is in addition to license the restaurant, daycare center or other business handling food has.

                  For a food handler making $8 - $10 / hour, the permit requires a one-day class. If they screw up, someone might get food poisoning . For an attorney to make ten times as much, the license requires seven years of school. If they screw up, someone might go to prison.

                  Where on the professionalism / risk scale should web developers be? Should they require LESS
            • Surgeons and lawyers are very different professions: they own their own businesses, they're their own bosses, and they make a ton of money

              You are a quite incorrect. Better pick another example to compare to if you want your argument to hold any water.

              Most doctors do not own their own business and many aren't even paid all that well especially considering the hours required. The majority [nejm.org] work for hospitals and thus are employed by someone else. The amount of money they make varies greatly by specialty. General practitioners as a rule do not actually make particularly high salaries. The lowest paid GPs have salaries of less than $90K [healthcare...online.com] per

              • I'm sorry... are you saying $175,000/ year isn't a FUCK TON of money? boo fucking hoo; 60 - 80 hours a week? Welcome to minimum wage just trying to get by while supporting a family. FIX YOUR PERSPECTIVE!

                </rant>

                • by sjbe (173966) on Monday June 24, 2013 @10:53AM (#44093073)

                  I'm sorry... are you saying $175,000/ year isn't a FUCK TON of money?

                  Basically that is exactly what I'm saying. While no one is asking anyone to cry for the doctors, you seem to think they are incredibly wealthy which demonstrably is not true. Many do quite well in the long run but they pay a steep price to get there.First off that is gross pay and makes no allowance for cost of living in your area. $175K in NYC doesn't go far when even a crappy condo can easily cost $500K. Where I live the gross salary for a GP is more like $90-120K/year. Cut that salary number in half once taxes are taken into account. Furthermore a huge number of doctors graduate with between a quarter million to a half million in debt from their schooling. That takes $20-50K per year right off the top of their pay just in debt service. Don't forget the huge insurance costs which are in the tens of thousands of dollars. Also bear in mind that doctors are not paid for the 4 years on medical school on top of 4+ years of undergrad school and are paid a rather low salary (usually around $40K/year) while in residency which can last for between 3-8 years. That's effectively a decade or more of less than minimum wage work once you calculate the hourly wage while piling up enough debt to pay for a fairly nice house. The opportunity cost is enormous.

                  Did you start your career 10 years after your college educated peers with a mountain of debt and limited transferable skills? Did anyone have to pass laws to prohibit you from being forced to work more than 80+ hours a week for no extra compensation? (laws which regularly get ignored and endanger patients by the way) Have you ever been required to work 36 hour shifts without any sleep? No. You just looked at the gross salary number and decided they make just a bit less than Bill Gates and live lives of luxury and ease. The real world is a little more complicated than a gross salary figure.

                  60 - 80 hours a week? Welcome to minimum wage just trying to get by while supporting a family.

                  I've been there working very long hours for minimum wage or less. Know what? Doctors often have it worse when it comes to lifestyle. They give up a decade or more of your life training working your ass off for an hourly rate of less than minimum wage just to get started in your career with a mountain of debt. They might make a decent salary but many of them hardly get to enjoy it. I've worked a 14 hour day, and my wife who left for work before me was still at work. I've seen her pull 36 hour shifts at the hospital. Being on call means you effectively do not get any sleep and some doctors are on call as often as every 3rd or 4th night and they often don't get a day off in between. My wife spent a year or two working for minimum wage in a lab before medical school and refers to it as the happiest year of her life. Sure she had to scrape to make ends meet but her time outside of work was her own. Becoming a doctor is a objectively miserable experience and even once you begin your career the lifestyle still sucks for many doctors. I don't know how many I've spoken to who would choose another profession if they had the chance to do it all over.

                  FIX YOUR PERSPECTIVE!

                  You have no idea what my perspective is. I've been poorer than a church mouse and worked my ass off to get where I am today. I've also have worked with and lived with doctors (including my wife) and seen what they have to go through first hand. I know up close and personal what I am talking about and I'm pretty sure you do not.

                  • My argument is at the 175K mark. That's 14,583 dollars a month. We'll subtract out your 50% tax burden to get $7291 dollars a month. We'll assume you're paying $3,166/month to pay off your $250,000 debt in 10 years, leaving you $4125/month or $49,508 after taxes. Median income in the US is $32,000 - pre tax, or at a 25% tax rate, $24,000 aka $2,000/ month. That's $2125 a month more than the average person, for 10 years after you get a job, more than enough to get a decent place to live and a couple of ca

              • by Grishnakh (216268)

                I don't know where you get all this BS. Most doctors work for themselves or for a small group of doctors. Every time I've been to a hospital (and everyone I've ever known has), I got multiple bills, one being from the hospital, and one being from the doctor. Doctors DO NOT work for hospitals.

                • I don't know where you get all this BS. Most doctors work for themselves or for a small group of doctors

                  How about The New England Journal of Medicine [nejm.org]? How about NPR? How about the doctor I am married to? Hospitals hire huge numbers of doctors and the rate has been increasing in recent years dramatically.

                  Every time I've been to a hospital (and everyone I've ever known has), I got multiple bills, one being from the hospital, and one being from the doctor.

                  That has precisely nothing to do with how the doctor is compensated for his/her take home pay. While it is possible that they two are independent (there are lots of independent doctor's offices), a great many practices are actually fully owned subsidiaries of hospital systems. Just because you are not in

          • And we need to enforce it with hard jail time / labor camp, ..... Label? I'll take the bright red one with Communist written on it.

            Why do you have to fall into the stereotype so well? You're not even in charge of a country yet, and you're already trying to throw people in jail.

      • by drinkypoo (153816)

        The word those people don't get to use is not "engineer" but "Developer". A developer is one who develops. The word says nothing whatsoever about whether the development is shitty. Consult your dictionary, and use it to build a bridge and get over your failure.

        • by Cenan (1892902)

          OP used the word "developers", your beef is with him/her/it. I don't care what they call themselves, being vulnerable to XSS, SQL injection or any of a number of different script kiddie techniques instantly disqualifies you from being called anything but a hack.

          • by drinkypoo (153816)

            Whoops, I got them backwards anyway.

            Developer: one who develops. It's called a housing development even when it's full of shit shacks, and it's called software development even when the software is shit.

            Engineering: A term that people can rightly complain about being misused if it were being used here

      • Agreed 100%.

        Web "developers": re-solving the same problems that the programmers writing native apps (programs) solved 20 years ago!

        We traded small, efficient, type safety (languages with a proper compiler) for a badly-designed toy language (Javascript, I'm sorry, "ECMAScript") that requires requires hacks such as strings ("use strict";) and uses megabytes for the run time.

        Javascript is the "Basic" of Web. Let's toss out all the lessons we learnt from good language design and re-implement all the mistakes!

    • Re:Nothing new (Score:5, Insightful)

      by KiloByte (825081) on Monday June 24, 2013 @05:52AM (#44090623)

      Half the web developers out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web development.

      Just half? Your glasses are of such a bright shade of pink that it must make it hard to see. This sounds so optimistic that you perhaps still have shreds of faith in humanity.

    • by maestroX (1061960)

      Half the web developers out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web development.

      The other half (=using pre-HTML5) cannot either. CORS is an improvement upon JSONP, simple script insertion, available in browsers right now.

    • I think a distinction needs to be made between the web developers who know how to program a web application and have an appreciation of security risks and the "web developer" who knows how to operate FrontPage, can "install" WordPress and put up one of the free themes with no modifications, or clicks on a web form to "create" a web page.

      Both groups can wind up with security holes. The former will likely try to avoid them but might wind up with them due to untested cases or mistakes (it happens to all of us

  • by roman_mir (125474) on Monday June 24, 2013 @04:48AM (#44090435) Homepage Journal

    At the minimum there should be full data encryption at the client level, that's just to start. Then there are other problems to solve (cross site code accessing information that it shouldn't be able to access)... Basically your desktop will have to solve issues that application and database servers have to solve and I can imagine this is a much more difficult task to accomplish. With application and database servers at least there are people, whose JOB it is to ensure security of the client data (from programmers to testers and administrators), but on the client side... it's very very sketchy, the number of potential problems is enormous.

    • by Common Joe (2807741) on Monday June 24, 2013 @05:47AM (#44090603) Journal

      Why the hell is parent modded to -1? roman_mir is spot on. If I'm surfing a website and it wants to store information locally, the web browser should encrypt it for security reasons. As a user, I don't want to have to worry about what information is being written out to my hard drive. Clear text for personal information? Banking information? I've RTFA and it says "[There is] a bank that used example HTML5 code for training developers that put data in permanent storage on the client system as opposed to temporary storage." There are people who say [slashdot.org] that banking institutions still use java applets. Think long and hard about this. Another question: do modern day browsers encrypt cookies? I don't know for sure, but I suspect they don't.

      And since I've RTFA, I'm going to take this conversation one level further. This ideology sure sounds like a very fat client to me. If we're going to use "sessionStorage, localStorage, and client-side databases" (as per TFA), why not just use an executable? Write the thing in .NET or Java or C? It would be faster for the client and easier to secure from a programming perspective. There's nothing stopping you from using APIs on the web using these languages. Are you saying it's because we can't trust websites? Then why is HTML5 giving access to "system services, such as camera, microphone, and GPS" and allowing "JavaScript to request resources from different domains"? (Again, this is straight from TFA.) About the only thing it doesn't have is unfettered access to the whole hard drive under the user's permissions. Or does it? I don't know. I'm beginning to wonder about how far HTML5 will allow access and under what conditions. Even if HTML 5 asks for permissions on everything it needs to, what do you think the standard user will say to all the "allow access?" questions?

      I'm a programmer, but not a web developer. Maybe this article is full of it and maybe it ain't, but in either case, roman_mir should not be modded down for what he is saying. There are legitimate concerns here that he is trying to raise and he hasn't said anything inflammatory in his post.

      • by jbolden (176878)

        This ideology sure sounds like a very fat client to me. If we're going to use "sessionStorage, localStorage, and client-side databases" (as per TFA), why not just use an executable?

        Browsers are much more hardened environments than mainstream OSes. More or less what this is evolving towards is what Microsoft proposed a decade ago of having a very hardened windows core running normal windows and a trusted computing subsystem that had limited ability to pass information between them. Everyone agrees that

        • Browsers are much more hardened environments than mainstream OSes.

          lololololololololololololololololololololololololololololololololol

      • by DrXym (126579)
        What threats do you think encryption will actually protect you from? If a browser transparently encrypts data as it is stored and transparently decrypts data as it is read then it's not going to help in any way at all if site A writes something and malicious site B reads it. It'll be plain text by then.

        Perhaps it could stop a drive by somehow uploading the file. But that's why browsers randomize their storage paths to begin with so that's already covered.

        So maybe it will stop a trojan or malicious plugi

      • This ideology sure sounds like a very fat client to me. If we're going to use "sessionStorage, localStorage, and client-side databases" (as per TFA), why not just use an executable? Write the thing in .NET or Java or C?

        This is, in fact, one of the motivating factors behind .NET, and why it was called .NET instead of "MFC++" or something. Microsoft wanted to make it the executable-distribution format of the internet.

      • by dgatwood (11270)

        Why the hell is parent modded to -1? roman_mir is spot on. If I'm surfing a website and it wants to store information locally, the web browser should encrypt it for security reasons.

        No, it really shouldn't. For 99% of sites, the user's ability to get to the data if the website goes belly-up without having to write code to extract a key from the user's keychain and decrypt the database trumps the need for encrypted local storage. For the remaining 1%, the site should use ephemeral session cookies that are

    • by fnj (64210)

      What the FUCK?! Parent is not a troll. Fix the mod. Argue the merits.

  • No risks here (Score:4, Interesting)

    by hobarrera (2008506) on Monday June 24, 2013 @05:59AM (#44090633) Homepage

    So... where's the risk? How can my computer be put at risk?
    If an app want to use localStorage, firefox prompts me for permision, and only assings 5KiB or something like that tops.

    The worst scenario I can picture, is my MANUALLY authorizing literally millons of websites and them filling up my disk.

    As for CORS: where's the security issue for the user? CORS is allowed for web hosts that explicitly state they support it. And again, how could that possible expose me?

    • Re: (Score:2, Informative)

      by Anonymous Coward

      The risk is that in case the client computer is compromised (and a lot of them are) the attacker can steal data that is normally stored server-side. Say what you want, there are more clients-zombies than compromised servers. OTOH, if you have your client compromised, the convenience of stealing a stored session instead of hijacking it while it lasts isn't all that much of a gain for the attackers.

  • Stop it. (Score:5, Insightful)

    by SuricouRaven (1897204) on Monday June 24, 2013 @06:40AM (#44090821)

    Does anyone else long for the days when you could make a decent website without needing half a megabyte of javascript, a database engine and some horrendous mishmash of AJAX? When people were happy to submit things via a form element and accept a page refresh, rather than require some code screwing around in the DOM? The time when things just worked, every time, when you could browse the internet in text mode. When images were images, not javascript-powered adverts jumping out at you.

    If you need anything more then HTML, CSS and forms, I hope you have a very good justification.

    • Re:Stop it. (Score:5, Funny)

      by 0123456 (636235) on Monday June 24, 2013 @06:42AM (#44090831)

      But the future is web apps replacing local apps so they can run anywhere.

      Except on tablets and phones, where the future is local apps replacing web apps.

      Or something.

      HTML5 looks like a total clusterfsck from here.

    • The needs of the business world is always changing and the needs of the internet is changing to meet it. HTML 5 isn't just a new shiny stuff which people can use. Its stuff people can do already but need large libraries and stuff to create now.
      Newer libraries just mean that you will download less to the client, in order to provide the rich user experience they expect now a days.

      TFA is pure FUD most of the problems which it highlights exist already. If anything HTML5 sorts out more issues than it creates.

      • I do like the video element, simply because it's a very common thing to want in a page and now can be done without an ugly plugin.

    • by Murdoch5 (1563847)
      Security, which is something the client side can't give you.
    • Re: (Score:2, Insightful)

      by mwvdlee (775178)

      Does anyone else long for the days when you could make a decent website without needing half a megabyte of javascript, a database engine and some horrendous mishmash of AJAX? When people were happy to submit things via a form element and accept a page refresh, rather than require some code screwing around in the DOM? The time when things just worked, every time, when you could browse the internet in text mode. When images were images, not javascript-powered adverts jumping out at you.

      If you need anything more then HTML, CSS and forms, I hope you have a very good justification.

      Same thing, but with text-based terminals and same thing but with punchcards.
      Just make it up yourself, I'm too tired to demonstrate the ignorance of what you just said.
      Just remember that every time you press the "Preview" button before posting, you're using Javascript screwing around in the DOM.

      • And I'd be just as happy if that 'reply to this' link took me to reply.pl?parent=44090853, where I'd get a plain old form I could type my reply into.It may be old fashioned, but it'd run on every browser on every platform, even those with scripting disabled.

      • Just remember that every time you press the "Preview" button before posting, you're using Javascript screwing around in the DOM.

        Not those of us who use noscript. Admittedly, slashdot has made some very anti-noscript design decisions in recent years - in some cases instead of employing graceful degradation they've opted for "screw you" degradation - but it's stil mostly usable without javascript.

    • by Inda (580031)
      No. There were very few decent websites back then. I remember websites that limited me to <1000 chars of text because their backend couldn't handle any more.

      No. I did not enjoy typing a metric shitload of text into a form, only for the 56k modem to stutter, or the server to wobble, and lose the lot.

      No. Requesting the complete 200kb of HTML when I was only correcting a typo was not good.

      No. Things did not 'just work' every time. How can you forget "this page requires IE3.0".

      No. Uploading a 1.4mb file was
      • "I remember websites that limited me to 1000 chars of text because their backend couldn't handle any more."

        That's poor site design, not a limitation of the method.

        "No. I did not enjoy typing a metric shitload of text into a form, only for the 56k modem to stutter, or the server to wobble, and lose the lot."

        That still happens. Except now you don't get a nice error page you can click 'back' on, and you can't even save your text via copy-paste because the script helpfully hides the text element as soon as you

    • by gr8_phk (621180)

      Does anyone else long for the days when you could make a decent website without needing half a megabyte of javascript, a database engine and some horrendous mishmash of AJAX?

      Why yes, yes they do. I'm still pissed that you can't pass a parameter to a page in a link. This would be - for example - to highlight which item in a menu has been selected and possibly change content within the page. You can do all of this fancy CSS stuff and make things dependent on parameters, but only parameters whose value is de

      • Bookmarks! I liked the ability to bookmark a page, and go back to exactly where I left off, because the URL alone specified exactly what I was to see. Frames broke that, and then script-based navigation systems broke it even more.

    • Using a bit of JavaScript is nice. Can be used to add small conveniences that just don't work without it. But it should always gracefully degrade, something that's been essentially completely lost in 'modern' web development. You have JavaScript or you have no page.

    • Naw, you do not understand. Back then anyone could quickly create a web page. We definitely do not to allow that anymore....
  • by Murdoch5 (1563847) on Monday June 24, 2013 @06:46AM (#44090841)
    Why are you using client side code to store data? Bad overall concept from the get go. If you really need to store "large" amounts of data for a web session then store a session flag in the client and use encrypted sockets to transport the data to a secure server and flush the temp storage when your done.
    • I can see a lot of potential insofar as P2P browsergames go. Cut out the middleman so to speak. You could have decentralised discussion forums, exchanges, anywhere people need to collaborate. Things get kind of weird at that stage though, many websites would become much more like torrent indexes than a centrally served resource. Who knows, maybe the security risks will exceed the value created, to say nothing of efficiency, we'll see.

      • by gr8_phk (621180)

        Things get kind of weird at that stage though, many websites would become much more like torrent indexes than a centrally served resource.

        And there you have it. People want to place all the burden on the users machine and just be a middleman. It's not really a web app at all, but it's deployed from the web and keeps someone in the loop between users. To facilitate these silly middlemen we now have more security risk on a platform increasingly used for things like banking. Way to fucking go W3C.

    • by Jmc23 (2353706)
      Yes, let's all use bandwidth like it's oil.
  • by ducomputergeek (595742) on Monday June 24, 2013 @08:42AM (#44091749)

    We use HTML5/JS in conjunction with Apache Cordova to create Mobile Apps for iOS & Android. For most applications we're hired to do, mainly form apps really, this combo works well, we can build & deploy quickly. But everything we put into localstorage is encrypted using an AES library. User chooses a password as the key and have to reenter the password to retrieve the information. There is an option to wipe the database and clear all storage if you can't remember the password. It's simple and it keeps the data secure enough for our purposes. We're not storing credit card or other data usually. Is it foolproof, probably not, but better than nothing.

    • >We use HTML5/JS in conjunction with Apache Cordova ...
      >But everything we put into localstorage is encrypted using an AES library.

      Oh FFS! This is wrong on so many levels. I don't know where to start.

  • by Rambo Tribble (1273454) on Monday June 24, 2013 @08:58AM (#44091939)

    Whenever data is brought into a system, the system is subject to attack. Whether from a network connection or distribution media, exploits have always used whatever avenue of infection was available. HTML5 or JavaScript cannot change that fact.

    The ease with which an exploit can be fashioned is largely dependant on the level of access given the attack vector and the complexity of the code governing that vector. From Autoplay to VNC, the more control given the remote source, the more potential for manipulation.

    As we demand more from web applications and the technologies that enable them, we will open avenues of exploitation, almost by definition. New demands on developers, engineers and designers will be a natural result of this.

    On the bright side, this likely means a richer employment environment for web professionals; the flip side is it probably means more jobs for web hacks, too.

  • by psydeshow (154300) on Monday June 24, 2013 @12:55PM (#44094429) Homepage

    Yep. I'm a long-time web developer, and I do a lot of thinking about security and the sorry state of it on the Internets.

    Any time you decide to include third-party code in your pages, you are asking for trouble. The list of hijinx that a third-party script can cause (even with strong cross-domain protection) is limited only by the imagination of the attacker. For instance, even if they can't get at your precious session cookie or local storage data, an attacker can modify the DOM, right? And show a big, window-filling DIV that looks exactly like your login screen, complete with your own assets. Good fun.

    I cringe when I see big, commercial sites that ought to no better include trackers and other code from services they do not control -- in many cases poorly-funded startups that could fold or be bought out overnight. And if someone unscrupulous gets ahold of the company, or just the domain? Boom, code injection across your entire site.

    Because that's exactly what we're talking about: remote code injection as a best practice. It's the most ridiculous head-in-the-sand way to deploy software ever invented. You would never stand for this kind of thing on your desktop (running an unsigned executable over http) but for some reason it's how things are done on web pages. Sure, your browser provides a sandbox, but everything inside that sandbox (your web app!) can still get arbitrarily hacked.

    Web security is a huge freaking mess, and it's going to take us a generation to undo the standard procedures and move to a place where security and privacy are more than just buzzwords.

"The hottest places in Hell are reserved for those who, in times of moral crisis, preserved their neutrality." -- Dante

Working...