The Geography of HTML5 Security

HTML5 reinvigorates a technology that’s been driving web content for more than 20 years. Notably, modern browsers can still render the majority of decades-old sites still lingering from the web’s early days, but modern sites expect browsers to be a significantly more powerful platform than their predecessors. Facebook tried to push these computing boundaries even further with a pure HTML5 mobile app, but discovered there are certain limitations that come with a billion or so users. Some problems are nice to have.

The new standard also pushes security boundaries. Sites won’t immediately benefit just by adding a <!doctype html> declaration to their pages. Instead, they can improve security by adopting features that control how the browser shares or interprets content from different sources. Other features allow the browser to store more data, a great improvement over cookies, but careless use of these features has consequences for security and privacy.

Cross-Origin Resource Sharing – Border Control

Browser security largely rests on the Same Origin Policy (SOP) to strictly separate content based on its source. It’s intended to keep sites from interfering with each other. However, it hasn’t made much of an impact on browser attacks like HTML injection (aka cross-site scripting), cross-site request forgery (CSRF), clickjacking, or malware. SOP even hampers legitimate kinds of site architectures, leading devs to create inelegant, less secure workarounds.

Cross-Origin Resource Sharing (CORS) presents a way to lift this barrier that, for example, helps sites use different domains for APIs, user-generated content, or security-sensitive actions in order to create a more flexible separation of duties. And it does this without forcing an all-or-nothing decision on trust.

For More Blogs

Small Business Social Media Marketing