"White hat Talk Web Security" The 6th chapter of the study note HTML 5 security

6th Chapter HTML 5 Security 6.1 HTML 5new Label6.1.1of the new labelXss

HTML5 defines new tags, new events, which can lead to new XSS attacks. So the black and white list needs to be updated constantly.

6.1.2 iframeof theSandbox

the sandbox property of an IFRAME is an important part of HTML5 security. It also brings a new mime type,text-html/sandboxed.

in the HTML5 page, you can use the sandbox properties of the iframe , such as:<iframesrc= "http://alibaba.com" Sandbox>,sandbox If no value is added, the default security policy is used, i.e., the page of the IFRAME will be treated as a single source, the form cannot be submitted, and the JavaScript is executed. Script, nor can the parent page that contains the IFRAME navigate anywhere else, and all plugins, such as Flash,applet, do not work. Simply put , the IFRAME has only one function to display, and as with his name, all the content is put into a single sandbox.

The sandbox attribute can be used to support more precise control by parameters, and there are several values to choose from:

q allow-same-original: Allow same-origin access

q allow-top-navigation: Allow access to the top-level window

q allow-forms: Allow submission of forms;

q allow-script: Allows script execution.

Reference:http://www.html5china.com/manual/html5/html5_iframe.htm

Http://www.cnblogs.com/yuzhongwusan/archive/2011/11/17/2252208.html

6.1.3 Link Types:noreferrer

in the HTML5 <a>,<area> tag defines a link types:noreferrer. After the label has specified noreferrer , the browser will no longer send Referer when requesting the specified address .

6.1.4 Canvasthe Magical

<canvas> This HTML element is designed for client-side vector graphics. It does not act on its own, but presents a drawing API to client JavaScript so that the script can draw everything it wants to draw onto a canvas.

You can use the <canvas> hack verification code online.

Reference:http://www.jb51.net/html5/71804.html

6.2Other security issues6.2.1 Cross-origin resource Sharing

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/88/7A/wKiom1f491TSAAv5AAVawz1jJQk175.png "title=" 62.png "alt=" Wkiom1f491tsaav5aavawz1jjqk175.png "/>

6.2.2 PostMessage--passing messages across Windows

in the The PostMessage method has been added to the HTML5 ,postMessage enables cross-document message transmission, Internet Explorer 8, Firefox 3,opera 9, Chrome 3 and Safari 4 all support postMessage.

This method can listen for sending cross-document messages by binding the message Event of window.

PostMessage allows each window(including the current window, the original window,Inframe, and so on) to send text messages to other windows, enabling cross-window message delivery. This feature is not limited by the same-origin policy.

When using postMessage , there are two issues to note:

q when necessary, you can receive window validation Domain, set the validation URL toprevent messages from being illegal on the page. This is actually a validation process that implements the same origin policy in code.

q according to the "Secure by Default" principle, messages should not be received by the newcomer in the receiving window, and the message needs to be securely detected.

6.2.3 Web Storage

The Web Storage actually consists of two parts:sessionstorage and localstorage. Sessionstorage is used to store data locally in a session, which can only be accessed by a page in the same session and destroyed when the session ends. So Sessionstorage is not a persistent local store, only session-level storage. localstorage is used for persistent local storage, and the data is never expired unless the data is actively deleted.

Advantage:

q storage space: storage space Larger : each individual storage space under IE8 is 10M, and other browsers are slightly different, but much larger than cookies .

q server: The stored content is not sent to the server: When set Cookie ,the content of the cookie is sent to the server along with the request, which is a waste of bandwidth for locally stored data. The data in WebStorage is only present locally and does not interact with the server.

q interface: More rich and easy to use interface: WebStorage provides a richer set of interfaces that make data manipulation easier.

q storage space: Separate storage space: each domain (including subdomains) has separate storage space, each storage space is completely independent, so it does not cause data confusion.

"White hat Talk Web Security" The 6th chapter of the study note HTML 5 security