Johannes Ullrich, chief research officer, SANS Technology Institute

HTML5 is going beyond adding a number of new HTML tags for video and audio. One of the core components is an extensive JavaScript application programming interface (API) allowing for offline applications and increasing the ability to store data on the client. This ability, frequently used in mobile applications with unreliable network connectivity, tempts the developer to move larger pieces of the application logic to the client. For example, the developer may choose to send a complete data set to the client and use client-side JavaScript to provide access control to data already stored on the client. A flaw reminiscent of JavaScript client side input validation, but more dangerous. 

As well, data validation can be redone on the server. Once data left the server and is stored on the client, no server fix will be able to recall it. Applications like this will be more responsive and functional than applications relying on server side access control – making these dangerous techniques attractive to developers.


Mike Shema, director of engineering at Qualys

HTML5 infuses the aging web standard with features that distill programming hacks into APIs with better security controls. Long polling becomes WebSockets; JSONP and IFRAME juggling become Cross Origin Resource Sharing,and  media and canvas elements replace insecure, platform-specific plugins.

HTML5 improves the granularity of the Same Origin Policy. IFRAME tags get sandbox attributes. Web workers are separated from the Document Object Model (DOM). It's no coincidence that several aspects resemble the emerging Content Security Policy (CSP). 

Browsers will encounter implementation errors; that's been the case since Mosaic appeared 20 years ago. Such flaws aren't blemishes on HTML5's fundamental design. HTML5 is actively used, but still in draft so problems can be resolved when the specs meet reality. This is how WebSockets API and WebGL evolved. Browsers have put great effort into improving security. Now it's up to sites to embrace them.