White Hat speaks Web security sixth Chapter HTML 5 Security

1. New tags in xss    &NBSP;H5 define class many new tags, new events may bring XSS (to study the changes in XSS attack H5 set up a Project----HTML 5 Security cheatsheet)      eg:        1)  <video src= ""  onloadedmetadate= "alter (XSS)" >----load Video remotely         2)  <audio>----remote load audio         3) new properties for iframe---sandbox: This property enables IFR Ame loaded content becomes a standalone source where scripts are disabled, forms are blocked,             plugins are banned from loading, and links to other browsers are Banned. The controllable parameters of the             Sandbox properties are: allow-same-origin----allow same-origin access           & nbsp                          ,         &NB Sp       Allow-top-navigation-----allow access to top-level windows                   &NBSP ;                                 All Ow-forms--------------allow submission of forms       &nbsp                          ,         &NB Sp            allow-scripts------------allow script execution (no popup)           &NBS P                                  &NBS P           4) Link types:noreferrer          H5 <a>\<area& gt; defines a new link Types:noreferrer----------the browser will no longer send referer          When requesting the address specified by the label ( Referer may leak some sensitive information). Eg:<a href= "xxx" rel= "noreferrer"/>        5) Canvas-----H5 graphics container, using scripts to draw Graphics.           use canvas to hack image verification code (using Script)  2, Other security issues      1) Cross-origin Resource sharing          Browser request Header origin:http://www.a.com/ Test.html----------tagged The HTTP originating source, The server automatically brings       Originhead by identifying the browserer, to determine whether the browser request is from a legitimate source. Can be used to guard against CSRF.           Server return: access-control-allow-origin: *-------------------allow client cross-domain request via (using wildcard "*" means allow any domain       Cross-domain request to pass, very dangerous)       2) postMessage---------cross-window messaging       & nbsp The new api:postmessage---------in   H5 allows text       information to be sent to other windows in each window window (including the current window, pop-up, iframe, etc.), which is not restricted by the Same-origin Policy.           send: window.postmessage ("xxxxxxx");          Receive: document.addeventlistener ("message", function (e) {e.date})           use of security issues to be aware of:           a, if necessary, can verify domain and even URLs in the receive window to prevent illegal page messages.            b, received messages should be security check, or if written directly to innerHTML or script, will cause the DOM based XSS Generation.            c, PostMessage can break the sandbox limit.        3) Web  storage---used to store data in the form of a complex or Data-heavy client (web-side), similar to a cookie. Storage Form Key/value.            consists of two parts: SessionstoraGE and Localstorage[1]  .             sessionstorage: for storing data locally in a session, only pages in the same session can be accessed and when the session ends   & nbsp     After the data is Destroyed. So sessionstorage is not a persistent local store, only Session-level Storage.             localstorage: for persistent local storage, data is never expired unless the data is actively deleted.             set value: Window.sessionStorage.setItem (key,value);     Window.localStorage.setItem (key,value);            Read values: Window.sessionStorage.getItem (key);               Window.localStorage.getItem (key);          &NBSP ; empty: window.sessionStorage.clear ();       

White hat speaks Web security sixth Chapter HTML 5 Security