Johannes Ullrich, chief research officer, SANS Technology Institute
As well, data validation can be redone on the server. Once data left the server and is stored on the client, no server fix will be able to recall it. Applications like this will be more responsive and functional than applications relying on server side access control – making these dangerous techniques attractive to developers.
Mike Shema, director of engineering at Qualys
HTML5 infuses the aging web standard with features that distill programming hacks into APIs with better security controls. Long polling becomes WebSockets; JSONP and IFRAME juggling become Cross Origin Resource Sharing,and media and canvas elements replace insecure, platform-specific plugins.
HTML5 improves the granularity of the Same Origin Policy. IFRAME tags get sandbox attributes. Web workers are separated from the Document Object Model (DOM). It’s no coincidence that several aspects resemble the emerging Content Security Policy (CSP).
Browsers will encounter implementation errors; that’s been the case since Mosaic appeared 20 years ago. Such flaws aren’t blemishes on HTML5’s fundamental design. HTML5 is actively used, but still in draft so problems can be resolved when the specs meet reality. This is how WebSockets API and WebGL evolved. Browsers have put great effort into improving security. Now it’s up to sites to embrace them.