The Security Risks of HTML5 Development 275
CowboyRobot writes "Local storage is a big change from HTML of the past, where browsers could only use cookies to store small bits of information, such as session tokens, for managing identity. HTML5 changes this with sessionStorage, localStorage, and client-side databases to allow developers to store vast amounts of data in the browser that is all accessible from JavaScript. An attacker could retrieve this data or manipulate the data, which would then get used again later by the application and may be uploaded back to the server to attack others, as well. Another risk comes from using 3rd-party code. Until HTML5, JavaScript was limited to requesting resources from the domain from which it was loaded, but with the addition of cross-origin resource sharing (CORS), this has been changed to allow JavaScript to request resources from different domains. This offers increased functionality but requires strict usage policies or risks being abused."
Javascript (Score:2, Insightful)
Where remote code execution is by design.
Nothing new (Score:5, Insightful)
Comment removed (Score:5, Insightful)
Re:Nothing new (Score:4, Insightful)
I strongly object to using the word "developers" to describe people that are clearly fucking hacks. You don't become a doctor just because you use a scalpel to cut people open. Spade, meet shovel.
Half the web hacks out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web hackery. As with adding any other new buzzword feature, it's just giving people who don't know any better more ammunition to shoot themselves in the foot with. There needs to be more focus on replacing hacks with real developers instead of trying to cram every new buzzword tech they can into their piece of shit application.
Re:Nothing new (Score:0, Insightful)
Except the developers aren't only hurting themselves, they're hurting users? Think before you comment much..?
Re:Nothing new (Score:5, Insightful)
What does that have to do with anything? A mechanic using the cheapest possible materials hurts his users when his repairs fail. A house built by the cheapest contractor with the cheapest materials may develop severe faults - to the point of essentially being condemned. How does this not hurt the customers/users?
Re:Nothing new (Score:5, Insightful)
Half the web developers out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web development.
Just half? Your glasses are of such a bright shade of pink that it must make it hard to see. This sounds so optimistic that you perhaps still have shreds of faith in humanity.
Stop it. (Score:5, Insightful)
Does anyone else long for the days when you could make a decent website without needing half a megabyte of javascript, a database engine and some horrendous mishmash of AJAX? When people were happy to submit things via a form element and accept a page refresh, rather than require some code screwing around in the DOM? The time when things just worked, every time, when you could browse the internet in text mode. When images were images, not javascript-powered adverts jumping out at you.
If you need anything more then HTML, CSS and forms, I hope you have a very good justification.
Re:Stop it. (Score:2, Insightful)
Does anyone else long for the days when you could make a decent website without needing half a megabyte of javascript, a database engine and some horrendous mishmash of AJAX? When people were happy to submit things via a form element and accept a page refresh, rather than require some code screwing around in the DOM? The time when things just worked, every time, when you could browse the internet in text mode. When images were images, not javascript-powered adverts jumping out at you.
If you need anything more then HTML, CSS and forms, I hope you have a very good justification.
Same thing, but with text-based terminals and same thing but with punchcards.
Just make it up yourself, I'm too tired to demonstrate the ignorance of what you just said.
Just remember that every time you press the "Preview" button before posting, you're using Javascript screwing around in the DOM.
Re:then stop hijacking phrases from other industri (Score:4, Insightful)
Wrong. Why would anyone want to take on such a job?
Surgeons and lawyers are very different professions: they own their own businesses, they're their own bosses, and they make a ton of money (unless they're in a junior position, but the career goal is to have your own practice, or be a "partner" in a top law firm which is mostly the same thing).
Developers and other software people aren't their own bosses, unless they're contractors. They work for corporations, and are just paid employees, no different from secretaries or janitors. They have zero control over their own work and how they do it: they have to do whatever their boss tells them to. Why should a developer be responsible for something failing when he was directed to write it in a half-ass manner by his boss?
Re:Nothing new (Score:2, Insightful)
While that is to a certain extent true; the real value of regulation is limiting competition by requiring licensure and often educational requirements to get and maintain a license.
The real purpose of regulation is so your fucking house doesn't burn down because someone who wasn't trained installed the wiring.