Re: In Defense of HTML5

[Michal Zalewski <lcamtuf () coredump cx>]

Most of the complaints about "new HTML5 attacks" are knee-jerk, or
just use this term for no particular reason. For example, if the new
semantics open up obvious security vulnerabilities in your HTML
sanitizer, it's probably completely pwnable anyway.

After some initial and very frightening missteps, a bunch of features
(e.g., CORS, web sockets, navigation timing, etc) were tweaked so that
they have a near-zero effect on the security properties of existing
websites, or offer robust benefits (postMessage, JSON.parse, etc).
There is also a bunch of security features that probably won't offer
the promised benefits (e.g., CSP and sandboxed frames), but they also
don't make a huge difference.

There is a number of serious problems with the web, but for most part,
they have very little to do with HTML5 per se; if the new features
make them worse, it's only incrementally so. It's a shame that nobody
is trying to really tackle them, but "somebody ought to do something"
is always a pretty weak complaint, so... =)

/mz
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.