funsec mailing list archives
Re: In Defense of HTML5
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Tue, 4 Dec 2012 13:35:20 -0800
Most of the complaints about "new HTML5 attacks" are knee-jerk, or just use this term for no particular reason. For example, if the new semantics open up obvious security vulnerabilities in your HTML sanitizer, it's probably completely pwnable anyway. After some initial and very frightening missteps, a bunch of features (e.g., CORS, web sockets, navigation timing, etc) were tweaked so that they have a near-zero effect on the security properties of existing websites, or offer robust benefits (postMessage, JSON.parse, etc). There is also a bunch of security features that probably won't offer the promised benefits (e.g., CSP and sandboxed frames), but they also don't make a huge difference. There is a number of serious problems with the web, but for most part, they have very little to do with HTML5 per se; if the new features make them worse, it's only incrementally so. It's a shame that nobody is trying to really tackle them, but "somebody ought to do something" is always a pretty weak complaint, so... =) /mz _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- In Defense of HTML5 Jeffrey Walton (Dec 04)
- Re: In Defense of HTML5 Stephanie Daugherty (Dec 04)
- Re: In Defense of HTML5 Paul Ferguson (Dec 04)
- Re: In Defense of HTML5 Dan Kaminsky (Dec 04)
- Re: In Defense of HTML5 Paul Ferguson (Dec 04)
- Re: In Defense of HTML5 Michal Zalewski (Dec 04)
- Re: In Defense of HTML5 Jeffrey Walton (Dec 05)
- Re: In Defense of HTML5 Michal Zalewski (Dec 05)
- Re: In Defense of HTML5 Jeffrey Walton (Dec 05)
- Re: In Defense of HTML5 Jeffrey Walton (Dec 05)
- Re: In Defense of HTML5 Stephanie Daugherty (Dec 04)